Active directory mobile accounts

Similar Messages

• Unable to create a specific Active Directory mobile Account

  Dear Community,
  I do have a problem with one workstation when I want to login with a specific Active Directory mobile user account. The login window will shake and refuse login due to invalid credentials... but this is not true, on other workstations the same account works without any problem. And also the Active Directory settings are verified and correct and other mobile account also work.
  So I tried to create the mobile account manually via Terminal :
  sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobilea ccount -n username
  sudo createhomedir -c -u username
  But this command results in an error that the account already exists, trying to delete, again an error null, etc... so no way.
  So I tried to start up in Single-User-Mode and get into dscl to finally delete this mysterious account daemon... but again I'm resulting in an error:
  dscl . -delete /Users/{username}
  <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
  Anyone any idea how to get this base cleaned so I can make this specific operator work on this specific Mac ? Help greatly appreciated. Thanks
  Cheers

  Could it be DNS cache?
  http://old.nabble.com/%3Cdscl_cmd%3E-DS-Error%3A--14009-%28eDSUnknownNodeName%29 -td30706666.html
  The LSAP DB?
  http://old.nabble.com/Bad-Users!-td19172901.html
  Or even this?
  https://discussions.apple.com/thread/1448801?start=0&tstart=0

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• Active Directory Mobile Account not working

  Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
  If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
  However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
  Any ideas?
  Thanks!

  Abbas,
  You can find active directory synchronization option under PWA settings >> Operation Policies
  1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
  2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
  3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
  You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
  Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
  for more information in the ULS logs.
  Let us know the results.
  You can find more information on AD sync at
  http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
  Thank you,
  Kiran K.

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Adobe Form that Creates Active Directory User Account

  Hello all!  Hopefully someone can help me with this.  I am using Adobe LiveCycle Designer ES 8.2 to create a user account request form.  I have the form created and now am working on a submit button that will email the form to the approving officials.  Once its emailed to the approving officials I would like to have a button available in which the approval person can select resulting in the creation of an Active Directory user account.  I need the fields in the form to populate cooresponding fields inside of Active Directory.  Current AD structure is on Server 2003.  Are there any ideas for how to accomplish this?

  I don't know. However, you might get a better or faster answer in the LiveCycle forum that deals with Designer.

• Password Sync from Active Directory Locking Accounts

  Hello,
  We recently set up Active Directory as a resource and are synching passwords. We are using IDM 7.1.1.11. We are noticing that when actions in IDM push the password out to AD, and they sync comes back to IDM, the sync workflow is locking up the account, before the original IDM action completes. For example, when an admin resets a users password, they see several error messages stating that the account is locked by the account that authenticates through the password sync utility. They also see succesful password reset messages, but I would like it if they didn't see errors saying the account is locked. We are using a direct connection between the Password Sync util and IDM. Has anyone ran into this? Any advice on overcoming it?
  Thanks.
  Jim

  I opened a support case with Sun about this issue, and they recommended logging a trace file for com.waveset.adapter.ActiveDirectoryActiveSyncAdapter. While the tracefile does not seem to contain any useful information, the simple fact that there is tracing going on for it now seems to be easing the situation. In my test environment I saw occurrences of this locking problem drop by 90-95% simply by turning the tracing on. I started tracing in production in the hopes that it will at least lessen the occurances of this.
  Sounds like we are taking the same approach Raj, the problem I've been having with it is getting it to happen will I'm debugging our reset password workflow. I want to make sure I add the locking check in the right place, so I was attempting to determine which area to check for it.
  I'll be sure to keep the thread updated if anything changes on our end.
  Jim

• Active Directory - Network Accounts Unavailable after reboot

  The issue I'm having with Snow Leopard is that I can bind accounts to AD and on the first boot it works perfectly. It shows Network Accounts Available and I can login using an AD account. After I reboot and on every boot after the first it then shows Network Accounts Unavailable. I logged in as local admin and it shows it is bound to the domain and it has a green light under the Directory Utility for the domain.
  Here are the main bits of info regarding this problem:
  1. Computer is bound to domain on first boot using Deploy Studio's firstboot script. This works brilliantly on 10.5 and only became a problem on 10.6.
  2. On first boot, it binds to the domain correctly and shows Network Accounts Available. I can log in using a network account and everything is peachy.
  3. If I reboot the machine, the status on the loginbox changes to Network Accounts Unavailable and has a red light.
  4. If I've logged in to an AD account on first boot, it will log in even with the red light present (it is a mobile account). This is working properly.
  5. If I try to log in using an account that has never logged in before, it will not log it in.
  6. If I login in as local admin and check the Directory Utility, it shows the machine as being properly bound to the domain and has a green light even thought the login box shows a red one.
  These are all the facts surrounding this issue that I have at the moment. I am booting up a 10.5 image right now that is freshly imaged and will report back its behavior using the same AD binding script that is being used on the 10.6 image.

  Quick Update on the 10.5 AD Binding test I said I was doing.
  Every time I reboot on 10.5, it says Network Accounts Unavailable for a few seconds and then switches to Network Accounts Available.
  On Snow Leopard, it never switches to Network Accounts Available, it stays stuck on unavailable.
  Thanks in advance,
  Nate

• 'Public' Active Directory account no longer works w/Tiger?

  We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
  This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
  Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?

  Ran accross this in help file...
  "Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
  When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
  Symptom
  After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
  Products affected
  Mac OS X 10.3 or later
  Solution
  This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
  The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
  The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
  Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used."

• Need to automatically add newly created user account in an existing active directory group.

  Hi All ,
  In my  environment we are having window server 2012 active directory environment.We need to have the newly created active directory user account to get added automatically to the existing active directory group after that new user account creation.
  Please tell us the possible ways to achieve this scenario.
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

  Hi,
  Can you please confirm your requirement,
  When you create a new user account in AD, based on the user's property like Department, Job or Location, the user need to be added to your specific AD groups?
  Regards,
  Gopi
  JiJi
  Technologies

• 10.4.11 - Can't create mobile account

  I reimaged one of our powerbook G4 laptops and ran S/W update getting it to version 10.4.11. After rebooting I could not create an Active Directory mobile user account. Tried all the normal things - repair permissions, rebind to AD and reboot, even trashed the edu.mit.kerberos file and all plists in /Library/Preferences/DirectoryService and rebind from scratch. I probably trashed the mcx settings in NetInfo Mgr, but I don't recall for sure. Also the 'ol reset-nvram and reset-all in OpenFirmware. Nothing helped - kept getting the "can't login, users home folder is on an AFP or SMB share". When I logged in as my local admin user, I could connect to the homefolder path using the mobile-user's credentials (with Kerberos).
  My solution was to reimage the laptop again (ver 10.4.10), bind to AD & reboot, create the mobile account and then run S/W update to 10.4.11.
  I'm not really looking for a solution here, just a warning to people that you may not want to create images at 10.4.11 if you use mobile accounts. I plan on using my 10.4.10 images for the time being.
  Ta ta,
  JHL
  P.S. I haven't tried this yet on our iBooks, eMacs or iMacs.

  Similar issue...
  Updated an iBook G4 today to 10.4.11. After reboot it logged in with a Network Account (not mobile account this time - AD set to not create mobile account and to not create local home). I unbound from AD, rebooted and created a NetRestore image. Rebound to AD, set the Authentication order and rebooted. Now the network account wouldn't login - gives the Can't login now, homefolder on an AFP or SMB server error. (homefolders, sharepoints and permissions just fine.)
  Now for the strange part... I got sidetracked for about a half hour, then I went back to the iBook and the Network account was able to login again. After several unbinding/reboot/rebinding/reboot processes, I narrowed it down to it takes about 11 or 12 minutes after binding to AD for the network account to login properly.
  I had another tech install the 10.4.11 update on an eMac and the logins worked ok. But when I had him unbind/reboot/rebind/reboot, he had the same 11 to 12 minutes before a network account can login (same error.)
  Now for another strange part... he tried unbind/rebind again, but left AD 3rd in the Authentication order (after NetInfo and LDAP for OpenDir). The network account could login right away - these are AD useraccts.
  In my experience since 10.3, I've always had to put AD before LDAP/OD in the authentication order for the user-acct to authenticate name/password to Active Directory properly. I plan on trying this with the iBook tomorrow.
  My homefolders for these accounts are on x-server running 10.4.10 (haven't been brave enough to update the servers yet.)
  Has anyone else experienced these 10.4.11 anomolies with network or moble accounts? Either with 10.4.10 or 10.4.11 servers?

• Unable to activate mobile account

  Hi, I am in a dead end.
  I am trying to settup mobile account on 10.8 Server, with 10.8 clients.
  So far, I got my Open Directory seted up server.name.private
  I created a new user in the Users tab, named test
  The Home Folder is setted up for my Homes folder, which is on a secondary hard drive.
  This file is shared with File Sharing, and have read/write permission for the group of my user.
  If I check the folder permission in the Finder, it is strange, but I don't know how to clean them. Each group is there two times, and they have Custom privilege
  With Workgroup Manager, I selected my user, went to the Preferences tab, and setted up the Mobility section.
  The options for Account Creation are Manage: Always, Account Expiry are Manage: Never and under Rules, Home Sync, I selected Once.
  On the client side, I activated the mobile account option, and entered the Open Directory adress.
  And when I log in, I put my info test/password, and the message You are unable to log in to the user account "test" at this time. Logging in to the account failed because an error occured.
  And here is the log from the server
  CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile
  Does someone have a clue for me?
  Thanks!

  Can you wipe the sytems and migrate the data? With my experience in Mobile Users this will probably be quicker than trying to troubleshoot MObility problems.

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• Unable to login @ login window with Active Directory User

  I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.
  When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.
  Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.
  Thanks,
  Ken

  I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
  I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
  31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services
  31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname
  31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing

• Time machine Active directory

  I need to restore an Active Directory user account from Time Machine backup.
  Aftrer reinstall the OSX I use "Migration Assistant" and I was unable to find into Time Machine backup the Active Directory user account.
  Into this backup I can restore ONLY the local machine account, not network (AD) account.
  What's wrong?

  I don't use Active Directory, and know almost nothing about it.
  But Time Machine, like most backup apps, cannot back up from any network location.
  Were you ever able to see backups of that account?  If not, it wasn't backed-up.