Mobile account disabled unable to re-enable

First some background. We have an Open Directory Master setup on Snow Leopard Server 10.6.2. I have a default password policy of 5 attempts and the user account is locked out. I am in the process of binding Snow Leopard clients to Open Directory. All of my users are on laptops so I was setting them up with mobile accounts. First I would bind the machine to Open Directory, then I would have the user login with their network user account. Next using System Preferences I would convert the currently logged in network user account to a mobile account. I assumed I needed to do this so the user would be able to login to their machine while the server was unavailable.
My issue is that the using a second machine the user locked out their account. I re-enabled the account in WGM, but the user cannot get into their laptop. I use WGM to view the local directory and it show the local cached account as disabled. Unfortunately there is no way using the GUI to re-enable the cached local account. Also using dscl I see that AuthenticationAuthority has ;DisabledUser; as the first value before LocalCachedUser.
It seems I don't fully understand how mobile accounts work. I assumed that a cached version of the account would be created on the client machine for use when the Directory Server was unavailable. I thought that when the Directory Server was available that it would take precedence over the cached copy. Is this not how it works?
Also my attempts do edit the user account using dscl to remove the ;DisabledUser; value were not successful. Is there an easy way to re-enable this account?

Mr Beardsley wrote:
I think what happens, at least in our office is that after the 24 hour period for Kerberos people will have to enter their password again for things like iCal, iChat, etc. If they mistype their password, and save it in keychain, I think it can rapid fire try to authenticate many times without any visual feedback and lock out the account. Reactivating in workgroup manager handles the account in OD, but unfortunately the local copy of mobile user account doesn't see or honor that the account has been reactivated on the server.
I was doing the same thing as you deleting the mobile user account on the system, but that was getting to be a pain as I would have to remake the mobile user account and the user would lose their picture every time. After I discovered the pwpolicy command I have tested it several times and deleting the user account is no longer necessary. Just re-enable the account in OD, then run the command I put above to re-enable on the client.
What I would love to see happen is that the client machine check with OD to see if the account is enabled/disabled then update itself to be in the some condition. Until then it's running a command on the client to get the account working again.
Mr. B,
I think you're right about all of this. I'm experiencing this too with only one mobile user. This user is in a different office all week. Then on Fridays he's here at our HQ. His laptop is set to sync every 3 hours. For some reason it is at this syncing stage that his account becomes disabled. I think the HomeSync function may be requesting a password that the user is entering incorrectly because they get confused as to what password to enter. I'm not sure if they are entering incorrectly once, 3 times, 10 times or what. They are frustrated and so am I.
However, the pwpolicy command you provided DOES re-enable their local mobile account and it is available after restarting. So thanks for that!
We have several different passwords that for any given user (SLS network account, file-server, email, plus their keychain password).
Anyone have a tried & tested "user-friendly solution" to keeping these all in sync after our 2-month password expiration?

Similar Messages

  • Message i get says account disabled. how do i enable it?

    trying to log onto a website that I need, and I get a message that says the account name is disabled, how do I enable this account.

    Clear the cache and cookies only from websites that cause problems.
    "Clear the Cache":
    *Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
    "Remove Cookies" from sites causing problems:
    *Firefox/Tools > Options > Privacy > Cookies: "Show Cookies"
    If that doesn't help then you need to contact the website via email.

  • HT4539 I had my account disabled how do I enable it again

    How do I enable my account after I have asked for it to disabled?

    Welcome to the Apple Community.
    When your account becomes disabled, Apple provides the following recommendation:
    "This message means that someone tried and failed to sign in to your account multiple times. The Apple ID system disables the account to prevent unauthorized people from gaining access to your information. You need to reset your password, following the instructions at the Apple ID website".
    Visit iForgot.com and follow the instructions there.
    In order to change your Apple ID or password for your iCloud account on your iOS device, you need to delete the account from your iOS device first, then add it back using your updated details. (Settings > iCloud, scroll down and hit "Delete Account")
    Providing you are simply updating your existing details and not changing to another account, when you delete your account, all the data that is synced with iCloud will also be deleted from the device (but not from iCloud), but will be synced back to your device when you login again.
    In order to change your Apple ID or password for your iCloud account on your computer, you need to sign out of the account from your computer first, then sign back in using your updated details. (System Preferences > iCloud, click the sign out button)
    In order to change your Apple ID or password for your iTunes account on your iOS device, you need to sign out from your iOS device first, then sign back in using your updated details. (Settings > store, scroll down and tap your ID)
    If that doesn't help you might try contacting Apple through iTunes Store Support

  • AD mobile account stores Mac user profile in Windows home directory

    My Windows Server 2003 AD accounts have roaming profiles and user home directories stored in different locations on Windows Server 2003 servers. How do I prevent my MacOS tiger clients from copying the local user profiles for AD mobile accounts to the respective remote home directories?
    This unwanted behavior is quite similar to using Windows 9x clients in similar AD environment.

    I do need to automount the network home directory but do not desire to have it sync with the local home directoy. I disabled the "create mobile account at login" option and enabled "force local home directory on startup disk" and "use unc path from active directory ..." and these appear to have resolved the problem. Unfortunately the network home directory no longer automounts, nor do network accounts show up at the logon prompt (strangely enough, they can be configured to autologin.)

  • How do you disable mobile account settings/parental controls

    My school had a one-to-one macbook program, but I switched schools. Now i have a heavily restricted computer. They had my account set to mobile and had parental controls enabled, so I used single user mode to create a new admin (remove /var/db/.applesetupdone and reboot) and remove them. However, even though no account has parental controls turned on, they are still enabled somewhere for all accounts, even admins. I have two questions: how do i disable mobile account settings, and where are the parental controls files located? I found some in /library/managed preferences/<account name here> , but editing these gives only temporary relief from parental controls, and they are reset when i restart. There has to be somewhere else that parental controls are flagged as on/set to sync on login. i removed the actual parental controls executables and stuff somewhere in /system but after that i couldnt open activity monitor and i didnt want to risk a reboot. please help me as this is very annoying. btw im on OS X 10.6.7

    HI,
    Try this..
    Open System Preferences/MobileMe and select the Sync tab.
    Deselect the box where you see: Synchronize with MobileMe. The last sync will noted at the bottom left side of the window.
    Carolyn

  • HT204053 my account has been disabled how do I enable it?

    My account was disabled, how can I enable it to make purchases again.

    http://support.apple.com/kb/TS2446
    Regards.

  • Unable to activate mobile account

    Hi, I am in a dead end.
    I am trying to settup mobile account on 10.8 Server, with 10.8 clients.
    So far, I got my Open Directory seted up server.name.private
    I created a new user in the Users tab, named test
    The Home Folder is setted up for my Homes folder, which is on a secondary hard drive.
    This file is shared with File Sharing, and have read/write permission for the group of my user.
    If I check the folder permission in the Finder, it is strange, but I don't know how to clean them. Each group is there two times, and they have Custom privilege
    With Workgroup Manager, I selected my user, went to the Preferences tab, and setted up the Mobility section.
    The options for Account Creation are Manage: Always, Account Expiry are Manage: Never and under Rules, Home Sync, I selected Once.
    On the client side, I activated the mobile account option, and entered the Open Directory adress.
    And when I log in, I put my info test/password, and the message You are unable to log in to the user account "test" at this time. Logging in to the account failed because an error occured.
    And here is the log from the server
    CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile
    Does someone have a clue for me?
    Thanks!

    Can you wipe the sytems and migrate the data? With my experience in Mobile Users this will probably be quicker than trying to troubleshoot MObility problems.

  • Users unable to create Mobile Accounts

    Good afternoon.
    I have an interesting problem with the creation of Mobile Accounts.
    We have a Computer Group with its Preferences set to allow the creation of Mobile Accounts & Portable Home Directories; with due consideration given to what to synchronise and what not to. The iBooks & Mac Books in this group are all used by one staff member only. They are all running 10.4.7 and have 256 or 512 MB RAM.
    The first two laptops added to the list allowed their users to create Mobile Accounts & PHDs no problem, and they continue to work. But any other machines I add to the group refuse to allow the creation of a Mobile Account. It seems that Workgroup Manager does no pass on their changed Preferences during subsequent logons. I have tested this by renaming a laptop at its entry in the group and seeing if the name is changed on the machine at the next login. It is not, but stepping through the machine’s settings at the logon display does give me a green light for network availability.
    I can create a Mobile Account on a machine by logging on as a user and amending their account Preferences, but this does not provide the same degree of flexibility in configuring synchronisation settings.
    Has anyone else seen this problem please?
    Brian Bowell ICT Support
    [email protected]
    Tel: 07 856 6537
    Fax: 07 856 6588-- -

    The problem was an error in naming the computer group. Renaming it solved the problem.

  • Unable to create a specific Active Directory mobile Account

    Dear Community,
    I do have a problem with one workstation when I want to login with a specific Active Directory mobile user account. The login window will shake and refuse login due to invalid credentials... but this is not true, on other workstations the same account works without any problem. And also the Active Directory settings are verified and correct and other mobile account also work.
    So I tried to create the mobile account manually via Terminal :
    sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobilea ccount -n username
    sudo createhomedir -c -u username
    But this command results in an error that the account already exists, trying to delete, again an error null, etc... so no way.
    So I tried to start up in Single-User-Mode and get into dscl to finally delete this mysterious account daemon... but again I'm resulting in an error:
    dscl . -delete /Users/{username}
    <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
    Anyone any idea how to get this base cleaned so I can make this specific operator work on this specific Mac ? Help greatly appreciated. Thanks
    Cheers

    Could it be DNS cache?
    http://old.nabble.com/%3Cdscl_cmd%3E-DS-Error%3A--14009-%28eDSUnknownNodeName%29 -td30706666.html
    The LSAP DB?
    http://old.nabble.com/Bad-Users!-td19172901.html
    Or even this?
    https://discussions.apple.com/thread/1448801?start=0&tstart=0

  • Having trouble disabling PHD (mobile accounts)

    Hi,
    I'm using SL server and clients, with a 'magic triangle' configuration. I created a group in Worhgroup Manager with some mobility preferences assigned (create mobile account, sync home folder on login, log-off and background)
    I wanted to turn this off, so deleted the group in Workgroup manager. But the users that were in this group still behaving like mobile accounts.
    Is there a folder/file in their home directory I need to trash in order to refresh the workgroup settings?
    I'm a bit confused!
    Thanks
    Tom

    Hi,
    I'm having the same problem - same error at least. I haven't migrated any users, but this is a fresh 10.4.11 Server. All clients are 10.5.6. I'm not using mobile users. My users have home directories on the server. Every user receives the error you describe. I've scoured the web, found several suggestions, but no descriptive answers.
    There are many people with this issue, but it seems that once they get it resolved they're not posting solutions. Or, at least not clear ones.
    The steps I've followed in Work Group Manager (WGM) include:
    1) Insuring that the Users folder can be mounted and can be shared.
    2) That for each user's home folder, the permission are set using the access control list (ACL).
    3) That the WGM computer lists include your machines and that they are set to always manage.
    4) Unbind the clients from the Open Directory (OD) server, clear the Directory Utility (DU) preferences on each client. Reboot. Rebind to OD.
    5) The server is responding normally when checking DU. Users can authenticate when using client-based home directories.
    Have you reached a conclusion?
    Thank you.
    Scott
    Server Details
    OS X Server 10.4.11
    Client Details
    OS X 10.5.6
    Message was edited by: Encabler

  • Unable to create a mobile account on Macbook

    We have a Macbook where during the first login they chose not to create a mobile account with this particular login ID (active directory).
    Now we need to allow this user to have a mobile account on the Macbook but when we try it will not create a home folder etc.
    If we login with a different user it works just fine.
    I notice it does not show the user in the accounts-preferences only when logged in with that ID. It also comes up with network,managed vs. managed,mobile.
    Anybody have any ideas? Is there a way to remove the user ID so we can start over to create a mobile account.
    I did try to create a mobile account using the preferences but it did not work. It still fails and is coming up with the "The home folder is not located etc etc" message.
    Thanks

    Update:
    I finally found a work around in the forums. The command I used was this:
    sudo
    /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count
    -n userid -v
    The post was this:
    http://discussions.apple.com/thread.jspa?messageID=7515435&#7515435
    Hope this helps someone else.

  • How to disable mobile account functionality?

    For quite some time now I have had a mobile account because I used to use a home server in conjunction with my laptop.  Now, however, I no longer do but there seems to be no way to switch my user account back to a normal account.  Even when I try to edit the settings for the mobile account to try and just simply not sync anymore all the options are greyed out. 
    I'm tired of having to cancel the sync every time I log in and out of the machine.  Isn't there some way to turn this back into a normal account?
    Currently running os 10.8.3

    a friend send me this. I'm trying it with limited success.
    http://discussions.apple.com/thread.jspa?threadID=1790881&tstart=-1

  • Screen sharing mobile account (open directory) not working

    Can anybody else verify that screen sharing, through Remote Management, does not work when trying to connect to mobile accounts on 10.7 Lion?
    Please note, when I say through Remote Management, I mean that under System Prefs->Sharing->Screen Sharing is disabled but Remote Management is enabled. (Remote Management being able to provide it's own screen sharing)
    Also I dont mean VNC... please make sure the "VNC viewers may control my screen with password" option is turned off under System Prefs->Sharing->Remote Management->Computer Settings

    I can confirm this. Same experience here on a 10.7.2 Mac.
    I get a "Please verify you have entered the correct name and password".
    Does this work on 10.6? I'm unable to check at the moment.

  • Mobile account with FileVault

    We have a Leopard XServe 10.5.8 and a Client running Snow Leopard 10.6.2. I have just instituted via WGM the policy to create a mobile account on login and to protect the home folder with FileVault. The error I am getting is "Unable to Create mobile account" "Your FileVault home can't be created because a folder with the same name already exists" What am I doing wrong? Is this not possible? Do I need to do it is phases?

    Is the user name already in use locally? If so use a different user name on the server and then login and move documents from old local account to an external drive and then re-login to new account on server and copy documents over to new server account. You might have to run the chown command on the contents of the copied over documents: sudo chown -R user /networkuser/copiedfolder and then enter the local admin password. -R is for recursive so it will do it to all files within that folder.
    Now a situation that I just ran into was I already had the network account which was a mobile account, but I wanted to promote it to have the File Vault added to it. Well I enabled it within WGM, but it did not apply the settings on the computer that I was logging into. So I logged into the admin account on the computer and deleted the network user in the system preferences users pane. Then logged out and re-logged back in as the new OD File Vault encrypted account it asked me to create local account and I did and it resynced all my files from the server back to the local computer. I am running 10.6.3 OD Server and 10.5.8 clients. Hope this helps.

  • Mobile Account Error Setting Up Leopard Client, createmobileaccount error.

    Hi all. I posted this discussion under Portable Home Directories, but that is unfortunately a subcategory of Max OS X Server v10.4 Tiger and this is strictly a Leopard issues, so I'm reposting here.
    Just following up on an earlier thread regarding mobile home accounts. Thought I'd post a new entry as the other one has been "answered".
    I've just recently upgraded a slew of clients and a server to Leopard and have been trying to enable mobile accounts on existing network home accounts. When I set this as a Preference using Workgroup Manager, nothing happens on the clients. When I try to create a mobile account directly on the client while logged in as the network user, I get a standard error (The mobile account could not be created.) every time after it asks to log out and enter the user password in order to create the mobile account.
    So, I followed the steps in this thread: http://discussions.apple.com/thread.jspa?threadID=1234051&tstart=0
    For the account "leedale" logged in using a network home directory, entered the Terminal command as follows:
    /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count -vsn leedale -h /Users/leedale
    createmobileaccount built Oct 2 2007 22:44:49
    verbose output on.
    user name = "leedale"
    home path = "/Users/leedale"
    user password = "(null)"
    prompt for password = FALSE
    encrypt new home = FALSE
    create as external account = TRUE
    home sync new account = TRUE
    sync URL = "(null)"
    MCXCCacheMCXRecordAndGraph(): existingMCXRecord record setValues:forAttribute:dsAttrTypeNative:cachedauthpolicy == -14120 (Unable to set value(s) for dsAttrTypeNative:cachedauthpolicy in record leedale.)
    MCXCCreateMobileAccount failed to create account. Error = -14120 (MCXCCacheMCXRecordAndGraph failed). Cleaning up mobile account record.
    2007-11-18 17:15:19.831 createmobileaccount551:10b ### Error:-14120 File:/SourceCache/Admin/Admin-423/DSRecord.m Line:484
    mobile account could not be created: -14120 (Unable to set value(s) for dsAttrTypeNative:cachedauthpolicy in record leedale.)
    Any suggestions?

    Hi,
    The namespace you are using for creating client proxy might not be available for consumption(i.e. it might not be published) or there is no connectivity to the source system so namespace is not available.
    Try checking connection.
    Hoping it helps..
    Regards,
    Komal
    Edited by: Komal Lakhwani on Feb 8, 2010 4:31 PM

Maybe you are looking for

  • Please Help !  Exception in closing resultset,statement.

    In an application developed on , i am closing the resultsets and statements in finally block as finally {      if (resultset != null) resultset .close();      if (statement != null) statement.close(); the above block does not take care of exceptions

  • Linking to a swapped image...help

    I'm trying to set up a page that has a rightside column of thumbnail images, which, when clickedon opens a larger image in another area. I have done this using swap image. That's all set up, but now I would like to link that larger image to a differe

  • How do I get Preview to stop opening documents opened in the past?

    If I open a.jpg in Preview, quit Preview, then double click z.jpg, both a.jpg *and* z.jpg open. Help! And it isn't limited to Preview. Just discovered that Microsoft Word is doing the same. This never happened until the Lion upgrade.

  • Lost ipad

    Hi, Had a bad day. My IPad2 WiFi got stolen yesterday. Unfortunately, I did not remember if I did turn on my "Find my ipad" under iCloud. I don't know if by default, it's turned ON or OFF. Anyway, I logged into my www.icloud.com to try my luck if I c

  • Is it possible to invoke() 'Change All' in Find/Change?

    Hi All, Is it possible to invoke() 'Change All' in Find/Change? Regards, Chinna