MOBILE ACCOUNTS ARE BROKEN!!!  At least for Active directory.

Similar Messages

• Mobile account login delay when offline from Active Directory

  We're getting a few MacBook Pros setup with our AD domain. All is well while on the network, but when traveling, it takes our users about 20-30 seconds to login, presumably because the client is trying to authenticate against a domain controller. Accounts are setup as mobile accounts so the credentials are cached locally.
  It's frustrating that a solution isn't more readily published by Apple given how common a use case this is. It shouldn't be buried somewhere in a forum.

  I figured it was because AD was somehow being looked up. I got it nailed down the the wireless connection. Turning off the AirPort connection is not a viable option as not all users are savvy enough, or remember to turn it off before taking their laptop home. One instructor was setup this way and she's isn't happy with the "resolve".
  On further research, I have determined a plausible solution, at least with Mac OS 10.4.7. I haven't tested anything earlier. Open the System Preferences and then Network. Show the AirPort configuration, then click on the Option button located next the checkbox to show the AirPort status in the menu bar. There's a checkbox in there to "Disconnect from wireless networks when I log out." By checking this, the wireless connection will be disconnected but the card will remain on. This will force the computer to use the cached credentials on log in. When the user logs in, the computer will attempt to reestablish a connection with the wireless network.
  I'll let you know if this works with other Macs as well.

• Service principal names of user are not unique; check the active directory

  Hello Experts,
  My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard.  The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal.  After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration."  I am not sure what else in the AD attributes is causing the problem.  Please let me know if you have ran into similar issue and how did you corrected.  Points will be rewarded of course. 
  Thank you so much for any help that I can get.

  Hello Duy,
    SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
  someother user having the SPN as yours.
  You would have to find the other AD user with the same SPN as yours and then de register that with
  setspn u2013d <SPN> Username
  Then this error should not come up after that .
  There was a tool called Ldifde  which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
  Rgds

• Query on DNS setup for Active Directory for a new data center

  I have third party DNS appliances providing DNS Service for Active Directory (Windows 2008 R2) and there are also secondary DNS servers, which are MS DNS server with a secondary zone configured, for redundancy. I have to setup a new data center
  and move servers/services to this data center. In this scenario, can I install a new Microsoft DNS server with a secondary zone and use this as the primary DNS Server for all the member servers at this new location ? I am aware that this new DNS server will
  not be able to make any updates to the secondary zone and for that purpose, is there anyway to redirect such requests to the DNS appliances in my current data center across the WAN ? I am trying to avoid purchasing a new DNS appliance for the new data center
  and want to know what are the alternatives I have.
   

  im not entirely sure by your setup, as normally you would use AD integrated zones for DNS in an AD environment - although there are other options as you have already setup.
  the fact the zone is a secondary zone in DNS server terms doesn't mean you can't point your clients to it as their primary dns server. They will quite happily resolve names using a secondary server.
  so as long as your dns devices are correctly setup to support the additional secondary zone I see no reason why you couldn't do this.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Connector for Active Directory Password Sync

  Friends,
  We have some questions about the Connector for Active Directory Password Sync:
  1. There is a need to extend the AD schema when using this connector.
  2. If I have 10 domain controllers and are not synchronized, the documentation tells us to install the dll in each domain controller. Is there any way to do this if necessary, to install this dll in a single domain controller?
  Thanks for your help.
  regards

  Definitely:
  For your Point-1 Look for the Preinstallation section in the AD Password Sync Connector Guide which talks nothing about extending AD schema which supports the validity of the statement.
  For your Point-2 Look for Metalink Article-432727.1 which confirms that the connector has to be installed on all the DC's
  Thanks
  SRS

• Setting disk quota on Mac server for Active Directory users

  I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
  I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
  I also understand there's a setquota command but there's no man page on how that works.
  Has anyone got disk quota for AD users working.
  Better still has someone got a shell or perl script for setting quotas they could post.
  Thanks
  - Cameron

  sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

• Verification of prerequisites for Active Directory preparation failed

  We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.
  "Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
  Exception: The RPC server is unavailable.
  Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
  [User Action]
  Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."
  What the log says is really:
  "Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."
  Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed
  other links that have similar probems but that doesn't help. 
  Many Thanks!

  Of course I CANNOT remove Symnatec as Meinolf suggests. That would be out of my mind!! I tried to stop all their services though which doesn't help. I know this has nothing to do with Symantec. Here comes another test, the final one:
  Test 8
  This article is really good as it concludes very thoroughly about the problems about "800706BA - RPC Server Is Unavailable" and other WMI query issues:
  http://goo dot gl/l2iha
  I started looking at he ISA 2004 on our SBS 2003.
  Tried to disable the RPF Filter:
  a. Open Microsoft Internet Security and Acceleration Server 2004
  b. Go to Configuration > Add-in and location RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'
  c. Hit Apply....
  d. Now I go back to Windows 7 and test the WMI query.
  The result: it WORKS! 
  e. Next, I tried that on the Windows Server 2012 like so:
  c:>wmic /node:sbs2003servername computersystem list brief /format:list
  It also works!
  f. Next also on Windows Server 2012, I continued on what was left over.  I did the "Rerun prerequisites check " and no surprise - "All prerequisite checks passed successfully. Click 'Install' to begin installation"!
  Well that concludes the problem of installing Windows Server 2012 (standard) as a backup domain controller to a Windows SBS 2003 domain controller and the  troubleshooting process that finally led to a solution that solves my problem. Thanks for all
  the discussions over the web. Every bit counts!
  Well if this helps you in some way, give me some points to buy beer! I am going to have a drink with Bill, Cheers! 

• M-Audio Delta drivers are broken once again for 10.4.4

  We just got the Delta 2496 card working with Tiger 10.4.3 when M-Audio released their v2.0.5 pkg.
  Now their v2.0.5 is broken on 10.4.4, in precisely the same way pre-2.0.5 was broken on pre-10.4.4.
  We have a vastly upgraded Sawtooth/AGP system. Not going to be able to afford any kind of new machine or upgrades in the seeable future. We're stuck with what we got.
  Point the Sound Panel Prefs to the 2496 card, then make iTunes 6.0.2 or QuickTime 7.0.4 play something. Hear quickly repeating machine-gun sounds, then eventually SystemUIServer will crash, then crashreporterD(aemon) itself crashes! And anything else you try to start will crash, too! Try logging out and Finder will crash -- repeatedly! You then must restart your Mac with the Power Button. I sent Apple a ton of crash reports on this just a little while ago.
  I sent e-mail to [email protected] staff because their web-portal for technical issues is not sending me my temporary password for it there. I have a feeling they will not respond by our deadline of Friday January 13 2006. Had someone posted an official warning about the drivers not working, we would not be in this present predicament. We have a Panther/10.3.9 partition for backup purposes, and this same v2.0.5 driver pkg works fine on it, so will be our only choice to continue our audio projects until/if M-Audio/Apple can fix this 10.4.4 bug.
  (Before you say anything: YES I ran "diskutil repairPermissions /" in single-user mode no less, YES I re-installed the COMBO 10.4.4 update a second time in single-user mode, all this after "/bin/sh /etc/rc" came up, and re-ran repairPermissions YET AGAIN, did the "fsck -fy" thing a third time, result being nothing else is wrong with the updated 10.4.4 system as installed here. It is clearly only when pointing Sound Prefs to use the 2496 card. I don't know if back-level drivers mentioned here e.g. v2.0.3 or v2.0.1 will work with 10.4.4. What I am is STUPID for allowing myself to apparently be the first Guinea Pig for testing M-Audio with a "GM" system update release. I thought that's what Select and Premiere ADC members would be doing ON OUR BEHALF, we who cannot afford such memberships. Yes I am angry about this -- YET AGAIN we get bit like this. GRRRRR.)
  Sawtooth G4 1.5GHz 7450, AGP Radeon 32MB Mac Edition     2-GB RAM, M-Audio Delta Audiophile 2496, more
  [ Edited by Apple Discussions Moderator ]

  Hi and thank you both for taking time to reply.
  I've known how to fix OSX in single-user mode for quite a few years. Even with these kernel hiccups yesterday, the 10.4.x system needed only minor repairs there.
  The 10.3.9 system here is on another separate internal drive, not partitioned, so it should be unaffected (crossing fingers of course <g>). What's funny is that the latest M-Audio Delta v2.0.5 is working fine on 10.3.9. The reason v2.0.5 will be needed: its MIDI fixes -- previous versions never got it quite right.
  Yes I've learned that 10.3.9 has probably been the best way to fall-back ... Tiger has caused too many changes this past year. But I'm totally spoiled now with 10.4.x's speed and gcc-4.0.1 able to tweak most open-source projects to new heights ... it's tough going back to relatively slow 10.3.9.
  One thing that is not M-Audio's problem but Apple's: right now there is no 10.4.4 Kernel Debug Kit, nor any SDK updates in case headers/APIs/etc. have changed in 10.4.4 or QuickTime 7.0.4 CoreAudio etc. (I just checked). How is Apple suppose to help third parties troubleshoot and update their drivers etc. when these are not made available along with the "GM" stuff?
  I finally got registered at M-Audio's tech site, but no one has yet to reply to my problem record there or via e-mail. Figures. An "I saw it" would be nice, just to know...
  So I did some testing on my own:
  The Delta v2.0.4 pkg IIRC caused the same kernel-type problems on 10.4.3 as v2.0.5 is doing right now on 10.4.4. I already tried running the Delta Uninstaller and put v2.0.5 on on-top of 10.4.4 again, still crashing only when playing audio thru that card.
  I jumped back to Delta v2.0.3 on 10.4.4 just to see if the kernel bugs go away, and so far I haven't seen any oddness, but the audio quality is suffering somewhat (sort-of what some ppl were complaining about QT 7.0.2-.3 back then, so maybe that's what got re-introduced with QT 7.0.4, oy vey).
  But we don't get the MIDI fixes -- that's only in v2.0.5.
  I'm still miffed that someone who has a Select or Premiere membership should have been able to test these very popular cards before 10.4.4/etc. came out. I guess I'll go on record to say: If someone would donate such an account to "me", I would most certainly make sure that happens next time.
  Oh well ... I now need to find out if we can use Delta v2.0.3 & 10.4.4 with jackit+darkice now (if anyone is interested: search for the station call-letters 'KOKF' on the various shoutcast/icecast yellow pages during Friday and Saturday nights (only), that'll be us, yes that's the reason for the deadline). Otherwise we already have tested everything on 10.3.9 so that'll be our fallback, but I will be busy recompiling every project that's been updated while we were up using 10.4.3. Fun fun fun.
  p.s. The "single-user mode" is even safer than "safe mode" to do any repairs or installs. Still do the 'fsck -fy' thing before anything else. Then once the /etc/rc script is run, 10.4.x is still in single-user mode but it has enough of the Mac subsystem running (not just the BSD stuff) so that cmd-line apps such as 'diskutil repairPermissions /', 'hdiutil mount' (for the dmg holding the pkg updates), and 'installer' can do its usual stuff. Yes the network is up then, too. This is only for real *ix geeks that know what they're doing of course. But this mode is about as low-level as it can get to do these kinds of repairs, something Applejack/etc. has yet been designed to do (mount dmgs, do softwareupdate, run installer, etc.). I'm glad there is such a mode, tho, as it provides the least interference to do such repairs.
  Thank you again, at least for letting me belly-ache about these problems.

• Mobile Account Preferences visible on Menubar for Network Accounts

  On Mobile Accounts (setup with Profile Manager), acting as network account (home folder in server), the mobile account preferences are shown on the menubar. In addion, it says "last home sync" incomplete. Both are wrong according to my understanding.
  However it makes sense - and it if the case - if the account is really working as mobile account with local home folder on a e.g. macbook.
  Does anyone has the same issue?

  I have the same issue. No fix yet.
  One of my machines has joined the network and seems to be ok in almost every way...clearly with the exception of this way.
  I will post if / when I find a solution.
  W

• Mobile accounts are not being issued kerberos tickets

  Hi
  If I set mobile accounts to expire as soon as they log out, as soon as the user logs back into the same mac with the same account, it does not get issued another kerberos ticket at login.
  If I turn mobile accounts off, it works every time.
  running 10.6, 10.6 open directory server and the user accounts are AD accounts server 2003.
  I am pulling my hair our here. Is this something that is intentional?

  Other observations:
  *1. from /Library/Logs/DirectoryService/DirectoryService.error.log*
  2010-06-18 14:04:11 CEST - T[0xB0185000] - Misconfiguration detected in hash 'Global UID':
  2010-06-18 14:04:11 CEST - T[0xB0185000] - User 'user1' (/LDAPv3/macsrv1.disney.ch) - ID 1035 - UUID 80699B6C-A90E-4D2F-9B07-FB78F72E9709 - SID S-1-5-21-4063190502-2217233148-2094676766-3070
  *2. user IS showing up in the login window.*
  If I configure the login window to show all users (including network users), then user1 does indeed show up.
  *3. Logging into user1 via ssh works.*
  *4. dscl on macsrv1*
  dscl /LDAPv3/127.0.0.1 -list /Users
  does indeed show user1 (and any other user I create)
  So why can't I login/create user1 on the client mac without toggling the FULL PATH to /Network/Servers/macsrv1.disney.ch/users/user1 first? arghh!

• Turn "Delete Resource Account" for Active Directory into rename/move/unlink

  My Windows sysad would like me to stop deleting Active Directory users; he's tired of cleaning up from dangling SIDs, and I don't particularly blame him. Instead, he would like the process of "deleting" an AD account to be more like:
  1. disable
  2. rename from cn=user to cn=user_999, where 999 is replaced with an incrementing number (jsmith_001, jsmith_002, etc.). (Or maybe he;d be Ok with jsmith_yyyymmddhhmmss...)
  3. move (probably in the same "rename" above) from ou=Employees to ou=4Delete.
  4. unlink account from user.
  We are assigning AD accounts through roles, and so the Delete Resource User (or Delete Resource Person?) task is invoked. Does anyone have a customized version of this task that differentiates between resource account types and handles the "disable/rename/move/unlink" AD account paradigm my sysad would like? -Les

  Hi,
  did you ever resolve this? If so, how did you work it out as we would like to do the same.
  Thanks.

• Vodafone India customer....on my iPhone5, imessage and facetime are giving error "waiting for activation"

  Hi
  I have iPhone 5 with Vodafone India connection. The major challenge is Facetimche & iMessage giving error "waiting for activation"
  I have tried all the available solutions in Google search but still no change.....
  Please help in getting this sorted out!!!
  Thanks
  Atin

  Level 1 (0 points)
  chakkochi 
  Re: My iMessage still says "Waiting for activation..." Jun 17, 2012 10:04 PM (in response to bradfromwinnipeg)
  Hi All,
  This problem is solved for me, with some help from the carriers. At last
  Let me describe my situation once again.
  I am from India, where the official iPhone carriers are Airtel and Aircel.
  I have two prepaid connections - One from Airtel and one from Reliance GSM
  Whenever I try to activate iMessage from my Reliace SIM, it shows activation unsuccessful, the the receive at shows my email ID only.
  But whenever I try activate it using Airtel SIM, it activates just fine. But since my primary connection is the Reliance one, I wanted it to get activated for Reliance.
  I have tried every tweaks/restore etc mentioned in this discussion, but nothing worked.
  The solution:
  This does not require any jailbreak/restore. Just a little help from the carrier.
  For all reliance GSM customers in India, you can just try to activate in again. I think they have solved it for all customers.
  I was almost lost hope of activating imeesage on Reliance. But then one of my friends bought a new iphone (4S). He had a docomo connection, and he also had this same issue. But using his contacts in docomo, he enabled some trace in his connection, and found out that the phone was trying to send SMS to a UK number (short code), which is blocked by their RA team.
  This is that magic number : 00445773142076
  So from him, I got the number. I raised a complaint with Reliance.
  The complaint had nothing about imessage, but it said: "I am unable to send international SMS to the number 00445773142076, even after having sufficient balance and an active SMS plan"
  So they have done some 'unblocking'  and called me this morning and asked to try again 'sending sms to the same number' . I went to settings and activated imessage and facetime/ Thats it !!!!.
  A big thanks to Reliance GSM support for the quick solution.
  For anyone on Reliance GSM in India, just try activating it now.
  For others, log a complaint with the carrier that "you want to send SMS to the number 00445773142076.
  Thanks all

• Date and Time Sync at boot for Active Directory/Open Directory Authenticati

  All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?

  I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.

• SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

  Hi
  I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
  The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
  a few additional folk who I have made individual members. 
  My PROBLEM:
  I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
  the form and go to different Stages depending on that status.
  The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
  with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
  Here's a print of the info from the Workflow Status page (I don't have access to server logs):
  RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
  instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
  Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
  user who started the workflow, unlike 2010 which used System Account).
  All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
  I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
  and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
  Does anyone have any ideas why this is happening and what I can try to fix it?
  Mark

  Hi Lars,
  I'm afraid not so far but we are trying a few things today so I will post back with results.
  First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
  versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
  This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
  "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
  the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
  intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
  You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
  I'll update when we try these ideas. If you have any luck please do the same.
  Mark
  (sorry about formatting - using my phone....)
  Mark

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.