Adding Local User Account Alongside RADIUS

Greetings!
Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
Thanks!
-Noah

Perhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
If that does not clarify your issue then please help us understand better what your issue is.
HTH
Rick

Similar Messages

OD network user accounts with radius secured wireless

ok.
i'd like to use radius security on my wireless network.
i also have 300+ OD users, who log on using both wired desktops and wireless laptops.
however, once radius is up and running, i no longer can access the "other..." user login option on the laptops, as the laptops can't conenct to the network to get the OD user info.
how to i work around this? do i add the OD bound laptops themselves to the allowed users?
ta

Well, folks, it turns out that the network user list is in fact displayed, but there's a slight catch that had me fooled. I've got a single local account set up. This local admin account is selected by default and displays the password field. When I hit ESC to clear it, that local account only is displayed for about 15-20 seconds. This fairly long delay made me think it would never happen... whoops. AFTER about 15-20 seconds, the full login list is displayed. Unless you clear that pwd prompt by hitting ESC or clicking Back, the list is never displayed.
Now that I've created a second local user account for other reasons, the pwd prompt does NOT automatically appear, and the network user list is displayed after 15-20 seconds, despite WPA.
Problem solved. Now we'll just see if 26 users can log in simultaneously over wireless... I won't hold my breath for too long!
Thanks for your time.

Migrating local user accounts/home directories to network user accounts

Hi,
I am planning on moving the user accounts from several Mac OS X client machines to a new Mac OS X Server machine (Quad core Xeon MacPro). I am very familiar with OS X client in a support environment, but do not have extensive experience with Server.
I read over the instructions in this article
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c6um3.html
and it appears to be fairly straight forward, although I do have some questions regarding the existing data (home folders) and how to set the clients to log in to the network account.
Previously, in the event that I have needed to move a person's home directory to a new computer or recover from a corrupt OS (and Archive&install was not an option), in OS X client I would:
1) Back up the home directory.
2) Erase/reinstall OS X client.
3) Log in as Root.
4) Go into "Accounts" pref pane and create user with same short name as original/backed-up home directory.
5) Replace the newly created home directory with the backed-up home directory.
6) Go into Terminal and chown/chgrp the home directory to username/staff, respectively.
This would result in a perfectly migrated user account. All settings and files working just as they did on the previous system/install of OS X.
First Question: Could I employee a similar method to retain the content and settings from the local user accounts on the server as I migrate them to network users? Moving the user accounts to the server as described, then running terminal to set proper ownership...
Second Question: What do I do on each client system to tell it to recognize the networked home directory for each user? Do I just change the user's home folder path in Netinfo Manager to the automount location?
Thanks in advance for any help you can offer,
-David
MacPro 2.66 Quad Core (MA356LL/A) Mac OS X Server 10.4.8

A network account is really existing only on the server but if you use "portable homefolders" (Tiger client and server) you could "migrate" the local account to a "server" one by:
Login locally as another user with administrative rights.
Change the name of the old account folder in /Users.
Remove the "old" account locally (woun't remove the "old" folder as you changed the name) only Netinfo data.
Login using the serveraccount login/password thus creating a homefolder on the server.
Logout and back in, enable portable homefolder.
Logout and then in as a local admin and remove the new user folder.
Change the name on the old userfolder to what the new one had.
I'm not a 100% sure Netinfo has the server account UID now (added by logging in and creating the portable account?) but if it does:
(http://forums.macosxhints.com/archive/index.php/t-12077.html)
"Finding and changing UIDs across the filesystem is a one-liner command:
sudo find / -user UID -exec chown userName {} \;
(replace UID with the old UID number and userName with the new user name to associate file ownership.)"
(A portable account must have got some "kind" of UID?)
Let the machine "sync" with the server account.
If you want an "on network only" account I don't know what you need to remove locally afterwards.
HTH

Added a user account, now my iMac is acting up.

Added a user account simply for a second iTunes library and so no crossover with contacts, favorites, etc. would occur on the family's iPhones. The first problem I noticed is when waking the display from sleep, the screen saver being used will be frozen on the screen and you have to use the mouse to "uncover" the user accounts. Over the past week or so, my problems have gotten worse... The pinwheel will appear for 10+ minutes while doing something as simple as searching for a document, many of the files on my desktop disappeared (luckily i had them backed up), and the computer will freeze with no recovery, forcing me to do a hard shut down (eek!). All software/hardware is up to date, I have repaired my permissions several times, and I even deleted my windows partition. The computer is hardly ever under a great amount of stress.. The most it is doing at one time is having a web browser or two open, mail, iCal, and iTunes. Could this all be because of an empty user account? I have plenty of room to spare on the computer and I haven't done anything drastic to the computer lately... Any insight would be appreciated.

Tell us about the actual Mac. What model? What version of Mac OS X? Is all the software up-to-date? Does it have 3rd party RAM? Is your LAN wired or wireless? Etc, etc, etc.
Dah•veed

Local user account is trying to autenticating against domain controller

Hi all. I am seeing a weird user logon issue on one of my laptop and on another user's PC. Both of the laptop and the PC is a member of our domain. However, on this particular laptop and PC, we are not login with a domain user account,
rather we've created a local user account, grant it the local admin access, and login with this local user account. Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
the domain controller security log. For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc). I've checked all group policy to ensure there
are no service or connection that requires domain credential access that have applied to this laptop (or the PC). I am not sure why this local user is trying to authenticating to our domain controller. This user account doesn't exist in our domain.
The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this. Did anyone encountered this issue in their environment?
Thank you.
Below is a copy of the event.
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          13/06/2014 8:56:27 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      domaincontroller.mydomain.local
Description:
An account failed to log on.
Subject:
   Security ID:       NULL SID
   Account Name:       -
   Account Domain:       -
   Logon ID:       0x0
Logon Type:           3
Account For Which Logon Failed:
   Security ID:       NULL SID
   Account Name:        dummy
   Account Domain:       l-sparet400sc
Failure Information:
   Failure Reason:       Unknown user name or bad password.
   Status:           0xc000006d
   Sub Status:       0xc0000064
Process Information:
   Caller Process ID:   0x0
   Caller Process Name:   -
Network Information:
   Workstation Name:   L-SPARET400SC
   Source Network Address:    192.168.2.181
   Source Port:       60720
Detailed Authentication Information:
   Logon Process:       NtLmSsp
   Authentication Package:   NTLM
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:       0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
    <EventRecordID>299829083</EventRecordID>
    <Correlation />
    <Execution ProcessID="488" ThreadID="640" />
    <Channel>Security</Channel>
    <Computer>domaincontroller.mydomain.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">dummy</Data>
    <Data Name="TargetDomainName">l-sparet400sc</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">L-SPARET400SC</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.2.181</Data>
    <Data Name="IpPort">60720</Data>
</EventData>
</Event>

its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
Interesting log section is NULL SID which doesn't corresponds to any account name.
Security ID:       NULL SID
   Account Name:       -
   Account Domain:       -
   Logon ID:       0x0
and the below section explains , the request is made over network, which is most of the times by the service
Detailed Authentication Information:
   Logon Process:       NtLmSsp
   Authentication Package:   NTLM
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:       0
The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
can you disable
a) Server service
b) Workstation service
c) Disable RPC dependent service and services which depend on RPC and test
Question:
What is the level of DC hardening you have in your environment ?

Bug When Converting (Back) To Local User Account

I am using Windows 8.1 Pro and began by setting up a local user account, which is the Administrator account. I then successfully switched the account to a Microsoft account, with the same user name.
As a test, I then decided to switch back to a local user account.
The bug is that I was not permitted to use the same user name. I had to select a different user name. This defeats the purpose of transparently switching a from a Microsoft account to a local account.
Fortunately (for me) I had anticipated that something might go wrong and had performed a full system backup to a external USB drive before I began this switching test.
L.M.Cohen

While Windows 8.1 (Pro) allows you to create new User accounts, it is set up to "convince" you to create Microsoft-type user accounts, rather than local user accounts.
And if you try to convert a Microsoft-type account to a local user account,
with the same user name, it will not yet you do it. However it will allow you to convert in the opposite direction,
with the same user name.
So I started all over and carefully read the small print -- to learn that you can initially set up a local user account. But this is discouraged, but if you persist, it can be done -- even though it is implied that "the sky might fall."
This is disingenuous.
However now that I understand the dynamics, I have no more problems.
Regards,
L.M.Cohen
L.M.Cohen

A conflicting local user account as indicated was found on the identified nodes Oracle 12c GRID runclufy check

Dear Team,
Oracle 12c GRID Runclufy check failing with below error. Even After Changing Local Built in Administrator User Name also same failure reporting. Kindly help to resolve this Issue and Provide steps to Avoid this conflict.
Windows user account consistency check across nodes - Checks consistency of Windows user account across nodes Error:
PRVG-11818 : Windows user "MDCCOMMONLDAP\Administrator" is a domain user but a conflicting local user account was found on nodes "sep03vvm-401,sep03vvm-402" -
Cause: A conflicting local user account as indicated was found on the identified nodes. - Action: Ensure that the Windows user account used for Oracle installation and configuration is defined as a domain user on all nodes or as a local user on all nodes, but not a mixture of the two.
Check Failed on Nodes: [sep03vvm-402, sep03vvm-401]
c:\Oracle12c_software\Oracle12c_grid\grid>runcluvfy.bat stage -pre crsinst -verbose -n SEP03VVM-401,SEP03VVM-402
Performing pre-checks for cluster services setup
Checking node reachability...
Check: Node reachability from node "sep03vvm-401"
Destination Node                      Reachable?
sep03vvm-401                          yes
sep03vvm-402                          yes
Result: Node reachability check passed from node "sep03vvm-401"
Checking user equivalence...
Check: User equivalence for user "Administrator"
Node Name                             Status
sep03vvm-402                          passed
sep03vvm-401                          passed
Result: User equivalence check passed for user "Administrator"
Checking node connectivity...
Interface information for node "sep03vvm-402"
Name   IP Address      Subnet          Gateway         Def. Gateway    HW Addre
ss        MTU
PublicLAN 153.71.45.202   153.71.45.0     On-link         153.71.45.254   00:50
:56:91:05:30 1500
PrivateLAN 10.10.10.15     10.10.10.0      On-link         153.71.45.254   00:5
0:56:91:75:1B 1500
6TO4 Adapter 2002:9947:2dca::9947:2dca 2002::
        00:00:00:00:00:00 1280
Interface information for node "sep03vvm-401"
Name   IP Address      Subnet          Gateway         Def. Gateway    HW Addre
ss        MTU
PublicLAN 153.71.45.201   153.71.45.0     On-link         153.71.45.254   00:50
:56:91:56:B6 1500
PrivateLAN 10.10.10.14     10.10.10.0      On-link         153.71.45.254   00:5
0:56:91:60:99 1500
6TO4 Adapter 2002:9947:2dc9::9947:2dc9 2002::
        00:00:00:00:00:00 1280
Check: Node connectivity of subnet "153.71.45.0"
Source                          Destination                     Connected?
sep03vvm-402[153.71.45.202]     sep03vvm-401[153.71.45.201]     yes
Result: Node connectivity passed for subnet "153.71.45.0" with node(s) sep03vvm-
402,sep03vvm-401
Check: TCP connectivity of subnet "153.71.45.0"
Source                          Destination                     Connected?
sep03vvm-402 : 153.71.45.202    sep03vvm-402 : 153.71.45.202    passed
sep03vvm-401 : 153.71.45.201    sep03vvm-402 : 153.71.45.202    passed
sep03vvm-402 : 153.71.45.202    sep03vvm-401 : 153.71.45.201    passed
sep03vvm-401 : 153.71.45.201    sep03vvm-401 : 153.71.45.201    passed
Result: TCP connectivity check passed for subnet "153.71.45.0"
Check: Node connectivity of subnet "10.10.10.0"
Source                          Destination                     Connected?
sep03vvm-402[10.10.10.15]       sep03vvm-401[10.10.10.14]       yes
Result: Node connectivity passed for subnet "10.10.10.0" with node(s) sep03vvm-4
02,sep03vvm-401
Check: TCP connectivity of subnet "10.10.10.0"
Source                          Destination                     Connected?
sep03vvm-402 : 10.10.10.15      sep03vvm-402 : 10.10.10.15      passed
sep03vvm-401 : 10.10.10.14      sep03vvm-402 : 10.10.10.15      passed
sep03vvm-402 : 10.10.10.15      sep03vvm-401 : 10.10.10.14      passed
sep03vvm-401 : 10.10.10.14      sep03vvm-401 : 10.10.10.14      passed
Result: TCP connectivity check passed for subnet "10.10.10.0"
Check: Node connectivity of subnet "2002::"
Source                          Destination                     Connected?
sep03vvm-402[2002:9947:2dca::9947:2dca] sep03vvm-401[2002:9947:2dc9::9947:2dc
9] yes
Result: Node connectivity passed for subnet "2002::" with node(s) sep03vvm-402,s
ep03vvm-401
Check: TCP connectivity of subnet "2002::"
Source                          Destination                     Connected?
sep03vvm-402 : 2002:9947:2dca::9947:2dca sep03vvm-402 : 2002:9947:2dca::9947:
2dca passed
sep03vvm-401 : 2002:9947:2dc9::9947:2dc9 sep03vvm-402 : 2002:9947:2dca::9947:
2dca passed
sep03vvm-402 : 2002:9947:2dca::9947:2dca sep03vvm-401 : 2002:9947:2dc9::9947:
2dc9 passed
sep03vvm-401 : 2002:9947:2dc9::9947:2dc9 sep03vvm-401 : 2002:9947:2dc9::9947:
2dc9 passed
Result: TCP connectivity check passed for subnet "2002::"
Interfaces found on subnet "153.71.45.0" that are likely candidates for VIP are:
sep03vvm-402 PublicLAN:153.71.45.202
sep03vvm-401 PublicLAN:153.71.45.201
Interfaces found on subnet "2002::" that are likely candidates for VIP are:
sep03vvm-402 6TO4 Adapter:2002:9947:2dca::9947:2dca
sep03vvm-401 6TO4 Adapter:2002:9947:2dc9::9947:2dc9
Interfaces found on subnet "10.10.10.0" that are likely candidates for a private
interconnect are:
sep03vvm-402 PrivateLAN:10.10.10.15
sep03vvm-401 PrivateLAN:10.10.10.14
Checking subnet mask consistency...
Subnet mask consistency check passed for subnet "153.71.45.0".
Subnet mask consistency check passed for subnet "10.10.10.0".
Subnet mask consistency check passed for subnet "2002::".
Subnet mask consistency check passed.
Result: Node connectivity check passed
Checking multicast communication...
Checking subnet "153.71.45.0" for multicast communication with multicast group "
224.0.0.251"...
Check of subnet "153.71.45.0" for multicast communication with multicast group "
224.0.0.251" passed.
Check of multicast communication passed.
Checking the status of Windows firewall
Node Name     Enabled?                  Comment
sep03vvm-402 no                        passed
sep03vvm-401 no                        passed
Result: Windows firewall verification check passed
Check: Total memory
Node Name     Available                 Required                  Status
sep03vvm-402 4.9996GB (5242420.0KB)    4GB (4194304.0KB)         passed
sep03vvm-401 4.9996GB (5242420.0KB)    4GB (4194304.0KB)         passed
Result: Total memory check passed
Check: Available memory
Node Name     Available                 Required                  Status
sep03vvm-402 3.6612GB (3839028.0KB)    50MB (51200.0KB)          passed
sep03vvm-401 3.3152GB (3476244.0KB)    50MB (51200.0KB)          passed
Result: Available memory check passed
Check: Swap space
Node Name     Available                 Required                  Status
sep03vvm-402 5.8121GB (6094388.0KB)    4.9996GB (5242420.0KB)    passed
sep03vvm-401 5.8121GB (6094388.0KB)    4.9996GB (5242420.0KB)    passed
Result: Swap space check passed
Check: Free disk space for "sep03vvm-402:C:\Windows\temp"
Path              Node Name     Mount point   Available     Required      Stat
us
C:\Windows\temp   sep03vvm-402 C             82.6484GB     1GB           pass
ed
Result: Free disk space check passed for "sep03vvm-402:C:\Windows\temp"
Check: Free disk space for "sep03vvm-401:C:\Windows\temp"
Path              Node Name     Mount point   Available     Required      Stat
us
C:\Windows\temp   sep03vvm-401 C             82.6112GB     1GB           pass
ed
Result: Free disk space check passed for "sep03vvm-401:C:\Windows\temp"
Check: System architecture
Node Name     Available                 Required                  Status
sep03vvm-402 64-bit                    64-bit                    passed
sep03vvm-401 64-bit                    64-bit                    passed
Result: System architecture check passed
Checking length of value of environment variable "PATH"
Check: Length of value of environment variable "PATH"
Node Name         Set?          Maximum Length Actual Length Comment
sep03vvm-402      yes           5119          100           passed
sep03vvm-401      yes           5119          129           passed
Result: Check for length of value of environment variable "PATH" passed.
Checking availability of ports "6200,6100" required for component "Oracle Notifi
cation Service (ONS)"
Node Name         Port Number   Protocol      Available     Status
sep03vvm-402      6200          TCP           yes           successful
sep03vvm-401      6200          TCP           yes           successful
sep03vvm-402      6100          TCP           yes           successful
sep03vvm-401      6100          TCP           yes           successful
Result: Port availability check passed for ports "6200,6100"
Starting Clock synchronization checks using Network Time Protocol(NTP)...
Checking daemon liveness...
Check: Liveness for "W32Time"
Node Name                             Running?
sep03vvm-402                          yes
sep03vvm-401                          yes
Result: Liveness check passed for "W32Time"
Check for NTP daemon or service alive passed on all nodes
Result: Clock synchronization check using Network Time Protocol(NTP) passed
Checking if current user is a domain user...
Check: If user "Administrator" is a domain user
Result: User "MDCCOMMONLDAP\Administrator" is a part of the domain "MDCCOMMONLDA
P"
Check: Time zone consistency
Result: Time zone consistency check passed
Checking for status of Automount feature
Node Name     Enabled?                  Comment
sep03vvm-402 yes                       passed
sep03vvm-401 yes                       passed
Result: Check for status of Automount feature passed
Checking consistency of current Windows user account across all nodes
PRVG-11818 : Windows user "MDCCOMMONLDAP\Administrator" is a domain user but a c
conflicting local user account was found on nodes "sep03vvm-402"
Result: Check for Windows user account "MDCCOMMONLDAP\Administrator" consistency
failed
Pre-check for cluster services setup was unsuccessful.
Checks did not pass for the following node(s):
        sep03vvm-402

SEVERE: [FATAL] [INS-30131] Initial setup required for the execution of installer validations failed.
   CAUSE: Failed to access the temporary location.
   ACTION: Ensure that the current user has required permissions to access the temporary location.
Are you using a supported OS version (listed in the Install Doc) and following all of the steps in the Install Doc ?
HTH
Srini

What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
We do utilize the same structure for user ID's.
I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
Thanks
Mike

Hey Mike,
The process is pretty straight forward. CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account. The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.
I recommend the following if you'd like to move to AD.
Run a DRS backup of CUCM. This is not necessary for the integration but is good practice in my opinion. I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD. Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.
Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts. That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc. If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username.
Create an account in AD that has read-only rights to your directory. Set the password to never expire. You will use this account later for the integration.
In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
Also in CUCM, navigate to the administration page and do the following:
Go to System > LDAP > LDAP System and Check the box to enable Synchronizing. Confirm the LDAP server type and attribute for User ID is accurate. This is typically Microsoft Active Directory and sAMAccountName respectively.
Go to System > LDAP > LDAP Directory
Click Add New
Give it a name (whatever you want).
Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
Enter the password for the account.
Enter the search base. This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain. If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
Select the option to perform a sync with AD on periodic intervals. The lowest interval you can set is every 6 hours.
Select either the telephonenumber or ipPhone field to be used for the user's extensions. This will be whatever you decided and populated in AD in an earlier step.
Add your primary and any backup domain controllers and ports. If they are just domain controllers and you are not using SSL then specify port 389. If they are also global catalog servers then you can do port 3268.
Click Save and Click the "Perform Full Sync Now" button.
I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD. To add this do the following:Go to System > LDAP > LDAP Authentication.
Click Add New
Check the box to use LDAP Authentication
Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section. Also add the same primary and secondary LDAP servers and ports you used earlier.
Click Save
You can go a step further and create a filter to only pull in the users within the search base you specified and apply that. For example, maybe only pull in users that have their ipPhone field populated. Let me know if you have any questions on that or any of the above.
I hope this helps!

Local user account not working after trying to connect to windows domain

Newb Question
I was trying to log into a domain with my macbook today at work without success. I think I selected something that is telling my mac to search the domain for the user account, and NOT the local computer. So now when I boot it up the local user account isn't displayed, only 'other...'. When I click that it takes me to a log in text box that doesn't accept either my long or short user names. I booted up from the Snow Leopard disk and tried to change my password there, and that can see the local account there (and lets me change the password). However, when I boot back up from the HDD I get the same problem.
Is there a way of telling it to look locally rather than on the domain when logging in?

you could reset password on the root account from the boot disk also while booted to the system disk, open startup disk, and make sure your computer is set to boot from the built in hard drive.
This will enable root, and hopefully you can log into the computer. try logging in with the user name 'root' and what ever password you set. if you do get in, you can go to apple menu, system preferences, accounts, login options.
Make sure to set display login in window to list.
also make sure that when you click on the join button under login options, that there is nothing there. as in blank.

Lion server : local user account disappear after power outage

On the server computer.After power outage I restart server the machine starts up ok.At login screen local user name disappear but there's others account same as client computer.I can log in to network account but can't log in as local.
In sytem preference local user account is still there.
I don't want to reinstall lion server .
What can i do now?
Thank you for your assistance.

It sounds like the user directory is damaged. You might try booting into the recovery partition, running Disk Utility, and doing a Repair Volume (and maybe a repair permissions) on the server volume.

Migrate a Local User Account to a Network Account Shell Script

http://support.apple.com/kb/HT5338?viewlocale=en_US&locale=en_US
If you are looking for an easy way to migrate local users to network users without losing data, then try this script.
Follow steps 1-10 in the support link above before running this script.
1) Open /Applications/Utilities/Terminal.App
2) Type vi myscriptname.sh
3) type "i" to edit the document
4) Copy and paste the following text in the terminal window
#!/bin/bash
echo "Go to http://support.apple.com/kb/HT5338?viewlocale=en_US&locale=en_US"
echo "Complete steps 1-10 before continuing"
echo -n "Enter 'USER' and press enter:"
read USER
echo -n "Enter 'SERVER' and press enter:"
read SERVER
sudo scp -Epr /Users/$USER root@$SERVER:/Users/
sudo mv -f /Users/$USER /Users/$USER.old
ssh root@$SERVER sudo chown -R $USER:staff /Users/$USER
5) hit (ESC) then colon : and type wq! and hit return to save the document
6) In Terminal type: chmod +x myscriptname.sh
7) in Finder, Right Click or Control+Click myscriptname.sh and select open with
8) Select "Show All Applications" and Navigate to /Applications/Utilities/terminal.App
9) in Finder, Right Click or Control+Click myscriptname.sh and select get info / Open with and click "Change All" to open all .sh files in Terminal
10) Double Click myscriptname.sh
11) For USER enter the name of the network account
12) For SERVER enter your server name (server.example.com)
13) Enter the Admin Pass for the Local Machine, Then the Server, Then the server again
14) The user folder will be renamed to user.old (bob.old)
15) When you login as the network user account OS X Server Will copy your data to the local machine with Portable home directories
16) Once you verify all the info is there you can delete the user.old folder from the /Users/ folder (bob.old)

replace sudo scp -epr with sudo rsync -auvth if you do not want to waste space copying hardlinks

How to disable a local user account ?

Does someone know that ?
Thanks in advance,
p.a

Hey p.a., thanks for the info. I did a little research myself and found two documents by Apple which deal, besides others, with this. Just want to share these info for future reference: 1) [Mac OS X Server User Management|http://images.apple.com/euro/server/macosx/docs/UserManagementv10.5.mnl.pdf] and 2) [Mac OS X Server Command-Line Administration|http://images.apple.com/server/macosx/docs/CommandLine_Adminv10.5.pdf].
I quote from the first (p.60).
*Disabling a User Account*
To disable a user account, you can:
--> Deselect the “User can access account” option in the Basic pane in Workgroup Manager.
--> Delete the account.
--> Change the user’s password to an unknown value.
--> Set password options to disable login. This applies to user accounts with the password type Open Directory or Shadow Password.
From the Command Line
You can also disable a user account using the dscl and pwpolicy commands in Terminal. For more information, see the users and groups chapter of Command-Line Administration.
I prefer the method via Workgroup Manager as part of the [Server Admin Tools|http://www.apple.com/support/downloads/serveradmintools1053.html]. There was some disagreement on whether the Workgroup Manager works on a client version machine some time ago, but I can confirm that it works really well on clients, too. (Hint: To start the Workgroup Manager for a local computer, type "localhost" as address - without the quotation marks.)
And again, the guide for Command-Line Administration states (p.106):
*Preventing a User from Logging In*
Sometimes it is necessary to revoke a user’s ability to access the computer. This involves preventing the user from logging in and then terminating the user’s processes. The latter can be done by forcing the user to log out and then killing remaining processes, or by just killing the user’s processes.
To prevent a user from logging in:
Disable the user account by entering the following command:
$ pwpolicy -a diradmin -u ajohnson -setpolicy “isDisabled=1”
Replace ajohnson with the short name of the user account and replace diradmin with the short name of your domain administrator account.
Note: The pwpolicy command only works for LDAP/Password server users. For a local user, use Workgroup Manager or the Accounts pane of System Preferences.
Regards,
floba
(MN428)
Message was edited by: floba

Adding New User Account

My parents use an iMac w/Intel Core 2 Duo running Leopard (10.5.4). When they set up the machine initially they set up a single account (we'll call it UserA) - which is the administrator account and the account that both of them use. I know this is a bad practice but this is where I am working from. It had not been a problem for them up until now as my mother's primary use for the computer had been Safari and using RDC to connect to her Windows box at work.
However, my mother is looking to have her own account set up so that she can have her documents, mail, ect. set up separately. The problem comes in with the apps that they share (i.e. iPhoto, iTunes). I would like both user accounts to see iTunes and iPhoto the same way. The have built up their music and photo collection collectively and would both like to be able to access the same libraries. I have gone as far as creating a new user (UserB) for my mother (as a standard account). I copied her documents from the administrator account (UserA) into her documents folder. What is the best approach to sharing iTunes and iPhoto libraries across the two user accounts? Thank you.

there are several ways to do that.
1. the easiest is to enable sharing in both itunes and iphoto. This will allow user A to see libraries of user B and vise versa. However, they won't be able to add stuff to each other libraries. also, this will only work when both of them are logged in at the same time. so you'll have to enable fast user switching in accounts preferences and keep both users logged in.
2. second easiest. if you have an external drive (or a partition of an internal drive) you can move itunes and iphoto libraries there and turn off ownership on that partition. select the partition, eneter command+i and in the info popup check the box "ignore ownership on this drive" at the bottom.
after you've moved itunes and iphoto libraries you need to point the apps to the new locations. hold option and start iphoto. You'll get a dialog asking you to choose the library. do the same for itunes.
3. you can use the method from [ Király 's post in this thread|http://discussions.apple.com/thread.jspa?messageID=2719139&#2719139].
Skip step 3) that he describes - it's not needed in Leopard.

Adding a User Account

Simple question but going nuts trying to find simple answer - once I have created a second account user on my Mac where do I find the instructions that allow me to share photos and itunes etc ??? The situation is that for the first time I am sharing my Mac with my wife and therefore we will share music and photos etc. Big thanks PW

Also:
*iPhoto: Sharing libraries among multiple users*
http://support.apple.com/kb/HT1198
If practical for your family, you might instead consider having three user accounts - His, Hers, and Ours! The "Ours" account would carry all the family music, photos, movies, etc. Each of you could rapidly go in and out of the Ours account via [Fast User Switching|http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1787.html] while remaining logged into your individual accounts. That would be very easy to set up, and would avoid any permissions issues - whoever is logged in as "Ours" could add to and edit all the family photos and music, as well as just look and listen.

Pwpolicy won't disable a local user account login!

Hello everyone. I have two macs. One mac is running OS 10.4, the other is 10.5. Neither of these computers are remotely managed nor are they bound to an open directory server. I have one local administrative account on each computer I want to leave on the computer but disable login access. I'm trying to use the command:
pwpolicy -a shortNameOfAdministratorAccount -u shortNameOfAccountToChange -setpolicy "isDisabled=1"
When I enter this in the terminal it asks for my administrative password for the account specified in shortNameOfAdministratorAccount. Once I enter it and press return the command returns no errors, just returns to the prompt. However, I can go back to the login window, click on the account I'm trying to disable, type in the password, and I can log in. I've tried running this command under different accounts, a root shell, etc.... Nothing seems to work. Any suggestions? Thanks.

xnav wrote:
I get this:
Path:~$pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0
Re. Tiger working without server, see [this|http://lists.apple.com/archives/fed-talk/2007/Dec/msg00035.html]. You may want to try the global query using 'sudo'.
You get that without sudo, though?
Interesting link. However,
sudo pwpolicy -n /NetInfo/DefaultLocalNode -getglobalpolicy
Password:
*Error: eDSInvalidRecordName : (-14133) for dsDoDirNodeAuth
Method = dsAuthMethodStandard:dsAuthGetGlobalPolicy
/NetInfo/DefaultLocalNode
- cfr

Adding Local User Account Alongside RADIUS

Similar Messages

Maybe you are looking for