Active Directory Mobile Account not working

Similar Messages

• Active directory mobile accounts

  Hi,
  Just did a clean install of Lion, joined it to my active directory (Windows SBS 2003). No issues with this part...
  But when I log in as a domain user, I get:
  the home folder for user is not located in the usual place or cannot be accessed
  Strangely enough, if I turn off mobile account creation, it works, and /Users/domainuser is created. If I then turn back on mobile account creation I get the error again.
  Anybody else experience this? Any pointers on how to troubleshoot?

  WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
  I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
  - In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
  - Log out then back in as a networked user,  -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
  - Open Terminal
  --- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
  --- Type: ./createmobileaccount -n username
  The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
  This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.

• Unable to create a specific Active Directory mobile Account

  Dear Community,
  I do have a problem with one workstation when I want to login with a specific Active Directory mobile user account. The login window will shake and refuse login due to invalid credentials... but this is not true, on other workstations the same account works without any problem. And also the Active Directory settings are verified and correct and other mobile account also work.
  So I tried to create the mobile account manually via Terminal :
  sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobilea ccount -n username
  sudo createhomedir -c -u username
  But this command results in an error that the account already exists, trying to delete, again an error null, etc... so no way.
  So I tried to start up in Single-User-Mode and get into dscl to finally delete this mysterious account daemon... but again I'm resulting in an error:
  dscl . -delete /Users/{username}
  <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
  Anyone any idea how to get this base cleaned so I can make this specific operator work on this specific Mac ? Help greatly appreciated. Thanks
  Cheers

  Could it be DNS cache?
  http://old.nabble.com/%3Cdscl_cmd%3E-DS-Error%3A--14009-%28eDSUnknownNodeName%29 -td30706666.html
  The LSAP DB?
  http://old.nabble.com/Bad-Users!-td19172901.html
  Or even this?
  https://discussions.apple.com/thread/1448801?start=0&tstart=0

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• Active Directory Provisioning : CheckForGroupAssigments not working

  Hi All,
  I am using SAP IDM 7.1 SP5 Patch 2. When i try to provision Active Directory with a small number of users, the standard framework works perfect.
  As soon as the list of users becomes long(more than 100), the task  CheckForGroupAssigments gives a false result even if there groups to add the user to. I am trying to investigate this and i do not know where this variable  "%AUDITID%" is defined.
  The check used is : SELECT count(userid) FROM mxpv_audit WHERE auditid = %AUDITID%
  I know what auditid is used for, but i do not know what value "%AUDITID%" holds and where it is defined.
  Any ideas are appreciated.
  Thanks

  Hi Thomas,
  I came across the same problem with that view. We simply changed the SQL command to use mxp_audit instead of mxpv_audit. I also opened a support case at SAP and they told me they will fix this in a future version of the provisioning framwork.
  Best regards
  Holger
  Edited by: Holger Flocken on Nov 30, 2010 4:02 PM

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Adobe Form that Creates Active Directory User Account

  Hello all!  Hopefully someone can help me with this.  I am using Adobe LiveCycle Designer ES 8.2 to create a user account request form.  I have the form created and now am working on a submit button that will email the form to the approving officials.  Once its emailed to the approving officials I would like to have a button available in which the approval person can select resulting in the creation of an Active Directory user account.  I need the fields in the form to populate cooresponding fields inside of Active Directory.  Current AD structure is on Server 2003.  Are there any ideas for how to accomplish this?

  I don't know. However, you might get a better or faster answer in the LiveCycle forum that deals with Designer.

• I am having real problems with my hotmail account not working on my iMac

  I am having real problems with my hotmail account not working on my IMac but works absolutely fine on my Iphone 5. Can anyone help with the setup for iMac. I am with BT for my Broadband. I am cionverned if I route my Hotmail accoutn to GMail will iy stop working on my Ipone.

  How are you accessing Hotmail?  Via your web browser?  Are you using Apple Mail?  Outlook?
  The answer will be different depending on how you want to access Hotmail.
  If you are using an email client (like Apple Mail, Outlook, Entourage, etc.)) then you need to set up a mail account in your email software.
  The incoming Hotmail settings are these:
  Incoming server: pop3.live.com
  User name: Your full Hotmail email address (aka "me @ hotmail.com" or "me @ live.com")
  Password: Your Hotmail password
  POP port: 995
  Use SSL to connect : yes
  The outgoing Hotmail settings are:
  Outgoing server: smtp.live.com
  User name: Your full Hotmail email address
  Password: Your Hotmail password
  SMTP port: 587 (override the default port if necesssary)
  Use SSL to connect : yes

• I got an IPAD 4 from one my friend which is lost mode, tried reaching owner on his mobile, which not working, anyway to reach the owner of IPAD?

  I got an IPAD 4 from one my friend which is lost mode, tried reaching owner on his mobile, which not working, anyway to reach the owner of IPAD?

  I"m afraid not. The iPad will be displaying only part of the ID, and Apple will not help you to find the owner's address (privacy laws). Without being able to reach the previous owner you will not be able to use the iPad.

• Getting Mobile Accounts to work with Active Directory

  Just curious to see if anyone got this to work. I am running OSX server version 10.4.4. I binded the server via directory access to our Active Directory Domain. I could see the active directory accounts in Workgroup manager and was able to get client Mac systems to log in using their AD account info. When I tried to set up the accounts as mobile accounts I ran into probelms. When you enter your login info on the client end, the screen would just go to a blnak blue desktop and not get any further. Anyone have any luck getting their AD accounts set up on the client Macs running as mobile directories?

  Heh. Yeah, and tried switching it on and off a few times, too.
  I think I might have found the problem, but I think I might have also borked my ability to play with it tonight -- in the Advanced Rules section in the firewall settings, there were a bunch of "deny" rules in there that weren't enabled... I guessed that those needed to be turned on, so that it would deny everything by default, but then allow the stuff I want through (set on the other page).
  Except after enabling those, I now can't connect to the server with ARD any more. Oops.
  The good news is that at least I also can't mount AFP shares from here any more either.
  The bad news is that when logging into the MacBook now, with my mobile account, it still starts up the Home Sync process on login (after spending about 35 seconds doing nothing after entering the password), and then hangs there for about 2 minutes trying to contact the sync server before giving up and continuing with the login properly -- this is what I was hoping to avoid.

• Mobile Accounts not copying home folders to local machine

  Having recently upgraded my MacBook to 10.5 (and having a 10.5 server) I have noticed an error with mobile accounts. My account has not synced for a couple of weeks and I have checked all the directory settings and cannot see any errors.
  I've removed all directory services and rebooted, put them back and it will create a mobile account but nothing is being copied to the local hdd. So basically it is functioning like a network account rather than a mobile one.
  This works fine on our 10.4 clients but having tried different users on my 10.5 system it does the same....creates the account, mounts the server but does nothing else.
  This means when you sync it says its complete but does nothing...its like its lost permissions to the folder on the server but that seems very odd.
  Anyone else had issues with 10.5? We have an AD server with our users and a 10.5 server with OD replicating AD and holding the home folders.

  Are you still ahving this issue?
  Would you do like geekinit in this thread and post some partial screen grabs (although is problem included Windows server Active Directory and profile Manager which I will get up to soon.)
  Unable to deploy home folder mobility settings through an Apple MDM server
  Did you create a fileshare for Local Network accounts to put their stuff
  If so where is OS X server?
  Did you tell the user in OD to use that fileshare?
  Here's a screen grab example
  Francois.

• Active Directory server is not available

  i have just setup and started testing a new exchange 2007 on my network. we did not have a exchange before, so this is a new install.
  my domain, xxx.com is a windows 2000 native AD. the exchange 2007 is a win 2003 sp1 x64, it is also a DC and has all roles assigned to it
  in my network i have
  dc01 win2000 sp4  dc (gc)
  dc02 win2000 sp4 dc (gc)
  exch01 win 2003 sp1 dc, rid, pdc, fmso, gc, infrastucture and naming
  the install went well, and i have been testing it for the past 2 weeks this dummy accounts. test smtp connectors, etc. all was working fine. to the point that i have started planing the migration of the users
   today i did some mods to IIS for a owa free SSL from startcom (as well as the root CAs). i have remove it since.
  i now get the following errors when i start the console, or shell. :
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  It was running command 'get-ExchangeAdministrator'.
  The following error(s) were reported while loading topology information:
  get-ExchangeServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  get-UMServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  HELP.. i have no idea what it does not like.
   exbpa does not report anything, i even get it to connect to the exch01 for it AD access.
  Any ideas??
  Thanks
  Paul Gartner
  (over all i like what i have been seeing in ex2007) 

  i think that you might be confusing "AD user account" and "profile". you DO NOT delete administrator from your AD Users and Computers. you only delete the Profile (\documents and settings\administrator folder). you can NOT do this while you are logged on using the administrator account.
  be sure to backup any data in your my documents and any favorites
  create another user that is in the domain admin group of your active directory, log on with that account and verify that the exchange tools works. then follow this to remove the profile.
  >1). Logon the Exchange server by using another admin account.
  >2). Open Control Panel, select System.
  >3). Select Advanced tab and click the Settings button of User Profile.
  >4). Delete the Profile of user which encounters this issue.
  >5). Click OK.
  >6). Restart the server and logon it by using Administrator account.
  > 
  once this is done, logon with your administrator account and try the tools again, they should work.tn
  Paul Gartner

• Active Directory cn field not updated from sap HR using ldap.

  Hi,
  Apologies if this is in the wrong forum area.
  I am using the LDAP facility to create and modify Active Directory records from sap HR. Initially, the name field cn that was coming across into AD was in the format of the logical system and employee number, eg, RD4CLNT22000000711.
  I then implemented the BADI HRLDAP_ATTRIBUTES which then changed this name field cn in the active directory listing to the format; surname, forename.
  It works fine when I create a new user, however the problem comes when I update the persons name in the sap hr module. The data that comes across into Active Directory shows the change to the persons surname sn, forename and displayname fields is there but the cn field is still showing as the previous name.
  In short, when a new user is created, the cn field in active directory is correct
  (surname, forename) but when the employee’s name is modified, that change is not brought across to the cn field even though the surname, forename and displayname fields are updated correctlyon AD.
  We are on release 4.70.
  Anyway, if anyone could help I would be very grateful.
  Thanks
  David

  Hi
  The problem it is causing us is that the cn field is incorrect and does not mirror the change in sap HR, therefore the Active Directory entry for the employee is not totally accurate.
  When an employee changes their name in SAP HR - usually their surname, we would then want to update the employee’s active directory account to show this change and this includes the cn field also. At the moment the firstname, lastname fields do get updated with the change so we would want the cn field to show this as well otherwise the cn field would be incorrect and not match up with the employee's AD firstname & lastname fields.
  Dave

• Active Directory - Network Accounts Unavailable after reboot

  The issue I'm having with Snow Leopard is that I can bind accounts to AD and on the first boot it works perfectly. It shows Network Accounts Available and I can login using an AD account. After I reboot and on every boot after the first it then shows Network Accounts Unavailable. I logged in as local admin and it shows it is bound to the domain and it has a green light under the Directory Utility for the domain.
  Here are the main bits of info regarding this problem:
  1. Computer is bound to domain on first boot using Deploy Studio's firstboot script. This works brilliantly on 10.5 and only became a problem on 10.6.
  2. On first boot, it binds to the domain correctly and shows Network Accounts Available. I can log in using a network account and everything is peachy.
  3. If I reboot the machine, the status on the loginbox changes to Network Accounts Unavailable and has a red light.
  4. If I've logged in to an AD account on first boot, it will log in even with the red light present (it is a mobile account). This is working properly.
  5. If I try to log in using an account that has never logged in before, it will not log it in.
  6. If I login in as local admin and check the Directory Utility, it shows the machine as being properly bound to the domain and has a green light even thought the login box shows a red one.
  These are all the facts surrounding this issue that I have at the moment. I am booting up a 10.5 image right now that is freshly imaged and will report back its behavior using the same AD binding script that is being used on the 10.6 image.

  Quick Update on the 10.5 AD Binding test I said I was doing.
  Every time I reboot on 10.5, it says Network Accounts Unavailable for a few seconds and then switches to Network Accounts Available.
  On Snow Leopard, it never switches to Network Accounts Available, it stays stuck on unavailable.
  Thanks in advance,
  Nate

• Mobile accounts not expiring

  Hi everyone,
  We have all of our Macs (running 10.7) bound to AD through the native plugin. We have the AD plugin set to create mobile accounts. We create three local groups on each machine and add the equivilent AD groups to the local groups. For instance, we have a local group called Students which has the member DOMAIN\AD Students. We then use local managed preferences to launch a login script to map drives for these accounts, which works correctly based on group membership.
  We've now set these same three local groups to have mobile account expiration. On a test machine, we set it to 2 days. We then logged in with a test account and rebooted, logged in again, and rebooted. After waiting all week, the account is still there (along with all of the other mobile accounts, but we don't know exactly when those students had logged in).
  Is there any place to check where the last time a user logged in? Does our setup sound like it should even work?
  Thanks!
  -MRCUR

  When logging in with an AD user, the "lastLoginTime" is not set on the mobile account. This seems to be the root cause of the accounts not expiring as expected, as the lastLoginTime is used to determine when the account should expire.
  This unfortunately seems like expected behavior when using AD accounts as opposed to local or OD accounts.