Reputation: 1
I cannot login AD user when Mac is not on corporate network
I update the company mac to the new OS big sur. It was doing fine before the login but once the update was done, the AD user is not able to login once its not connected to the corporate network or if it is on outside network. It just keeps on asking to reset the password. But if it is connected to the corporate network, it works fine. Already check with the settings, all is check, like create a mobile login and all those stuff.
Upvotes: 0
Views: 4162
Answers (3)
Reputation: 1
Scenario: Users trying to log in to a Mac computer using their Active Directory (AD) credentials with intermittent success.
Environment: Organization with 3 replicating Active Directory servers including one Azure AD.
Temporary solution: unjoin computer from AD and rejoin again
Possible solution:
- In Directory Utility, tick on Prefer this domain and enter the name of the AD server closest to you (on site)
- Optional: Tick create mobile account at login and untick require confirmation
- Add the closest AD server IP address in the hosts file (they're in /private/etc/hosts)
Steps 1 & 2 can be mass-deployed using a profile created using Profile Creator.
Upvotes: 0
Reputation: 1
I'm researing exactly how to do this my self. I've done it in the past, but I believe you need to setup a roaming profile to be able to logon to it while away from the corperate office.
Upvotes: 0
Reputation: 1
I had the same issue, to fix it I had to go into our Device Management site (AirWatch, though I've heard the same things from InTune and other management tools), and disable the "Password" profile. Once AirWatch synced again it allowed me to log in without the "Reset Password" prompt.
Other things I learned:
For the first couple of days I had this issue I was able to reset the SMC and it would allow me to log in until I disconnected from the VPN again (at night).
I was able to reset the password on local accounts (I have a local test account that would accept a new password but it had weird restrictions I had never set like not being dictionary words, being over 12 characters, etc. I had to use something like 1qaz@WSX3edc$RFV for it to work.
If I logged in as a local admin account I was still locked out from using my domain joined account to perform admin functions on the computer and make server connections, it didn't give me the change password prompt, just failed like I had the wrong password.
Just putting this here for people who have to defend their choices to the higher-ups:
On a corporate domain the Password profile being set manually for Mac is redundant as long as you have the profiles in your management suite set to not allow local account logins and the password requirements are set in AD. This forces you to login with an AD account and AD will enforce the password requirements.
Upvotes: 0
Related Questions
- Principal.IsMemberOf exception for local user account when joined to Domain
- Node name wasn't found (2000) error while binding mac to AD
- Kerberos Authentication always unsuccessful
- Active Directory not working for offsite
- Accessing Active Directory From a Computer Not Part of the Domain With C# and Powershell
- Remote workers login via Azure Active Directory
- c# Active Directory Authentication User if Computer not in domain
- Active Directory Login Problem
- mac os x connect active directory
- Domain authentication failed for "domain\user"