Mobile accounts not expiring

Hi everyone,
We have all of our Macs (running 10.7) bound to AD through the native plugin. We have the AD plugin set to create mobile accounts. We create three local groups on each machine and add the equivilent AD groups to the local groups. For instance, we have a local group called Students which has the member DOMAIN\AD Students. We then use local managed preferences to launch a login script to map drives for these accounts, which works correctly based on group membership.
We've now set these same three local groups to have mobile account expiration. On a test machine, we set it to 2 days. We then logged in with a test account and rebooted, logged in again, and rebooted. After waiting all week, the account is still there (along with all of the other mobile accounts, but we don't know exactly when those students had logged in).
Is there any place to check where the last time a user logged in? Does our setup sound like it should even work?
Thanks!
-MRCUR

When logging in with an AD user, the "lastLoginTime" is not set on the mobile account. This seems to be the root cause of the accounts not expiring as expected, as the lastLoginTime is used to determine when the account should expire.
This unfortunately seems like expected behavior when using AD accounts as opposed to local or OD accounts.

Similar Messages

  • Mobile accounts not syncing at logout

    Hi guys,
    We are experiencing some synchronisation issues when attempting to use mobile accounts for the first time at our school.
    Synchronisation is only occurring at login and not at logout even though all options are selected under Rules>Home Sync in group preferences. Manual and scheduled syncing works ok.
    Points to note:
    User accounts are hosted in AD with OD supplying managed preferences.
    Home directories are stored on the mac server (Windows domain member) and shared/automounted via AFP.
    The mac clients and server are running 10.6 and are fully up-to-date.
    Has anyone experienced this issue before?

    Hi guys,
    We've managed to get sync at logout working. Here's how:
    -Add "/System/Library/CoreServices/ManagedClient.app" into the WGM Group Preferences Details tab.
    -This adds additional preference manifests, one of them being "Home Sync".
    -Modify the "Home Sync", "Always" settings by adding any item to the "Managed Preference Sync Items" array. We added the path to some necessary email config files stored in ~/Library.
    Doing these steps, for some reason, enabled syncing at logout. Hopefully it'll work for you too.

  • Mobile Accounts not copying home folders to local machine

    Having recently upgraded my MacBook to 10.5 (and having a 10.5 server) I have noticed an error with mobile accounts. My account has not synced for a couple of weeks and I have checked all the directory settings and cannot see any errors.
    I've removed all directory services and rebooted, put them back and it will create a mobile account but nothing is being copied to the local hdd. So basically it is functioning like a network account rather than a mobile one.
    This works fine on our 10.4 clients but having tried different users on my 10.5 system it does the same....creates the account, mounts the server but does nothing else.
    This means when you sync it says its complete but does nothing...its like its lost permissions to the folder on the server but that seems very odd.
    Anyone else had issues with 10.5? We have an AD server with our users and a 10.5 server with OD replicating AD and holding the home folders.

    Are you still ahving this issue?
    Would you do like geekinit in this thread and post some partial screen grabs (although is problem included Windows server Active Directory and profile Manager which I will get up to soon.)
    Unable to deploy home folder mobility settings through an Apple MDM server
    Did you create a fileshare for Local Network accounts to put their stuff
    If so where is OS X server?
    Did you tell the user in OD to use that fileshare?
    Here's a screen grab example
    Francois.

  • Active Directory Mobile Account not working

    Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
    If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
    However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
    Any ideas?
    Thanks!

    Abbas,
    You can find active directory synchronization option under PWA settings >> Operation Policies
    1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
    2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
    3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
    You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
    Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
    for more information in the ULS logs.
    Let us know the results.
    You can find more information on AD sync at
    http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
    Thank you,
    Kiran K.

  • Mobile accounts are not being issued kerberos tickets

    Hi
    If I set mobile accounts to expire as soon as they log out, as soon as the user logs back into the same mac with the same account, it does not get issued another kerberos ticket at login.
    If I turn mobile accounts off, it works every time.
    running 10.6, 10.6 open directory server and the user accounts are AD accounts server 2003.
    I am pulling my hair our here. Is this something that is intentional?

    Other observations:
    *1. from /Library/Logs/DirectoryService/DirectoryService.error.log*
    2010-06-18 14:04:11 CEST - T[0xB0185000] - Misconfiguration detected in hash 'Global UID':
    2010-06-18 14:04:11 CEST - T[0xB0185000] - User 'user1' (/LDAPv3/macsrv1.disney.ch) - ID 1035 - UUID 80699B6C-A90E-4D2F-9B07-FB78F72E9709 - SID S-1-5-21-4063190502-2217233148-2094676766-3070
    *2. user IS showing up in the login window.*
    If I configure the login window to show all users (including network users), then user1 does indeed show up.
    *3. Logging into user1 via ssh works.*
    *4. dscl on macsrv1*
    dscl /LDAPv3/127.0.0.1 -list /Users
    does indeed show user1 (and any other user I create)
    So why can't I login/create user1 on the client mac without toggling the FULL PATH to /Network/Servers/macsrv1.disney.ch/users/user1 first? arghh!

  • Mobile Accounts: Manual Sync works, Automated Sync Does Not

    I've got a small office network with about 10 users. Each have mobile accounts under Tiger (server and clients) and they've been working flawlessly for years.
    All of a sudden we've noticed that for some users the background sync is no longer working. If they choose "Sync Home Now" from the menu the sync runs else. Otherwise, it does not run at all.
    All background syncing is set (via WGM) to run every 30 minutes.
    What is the best way to debug this?
    Thanks!
    scotto

    if you configure mobile prefs to popup a dialog to confirm creating a mobile account on new machines, train them to choose "no," and they'll login with network homes on other machines.

  • I want to delete my mobile me account not just from my iPhone but from existence. I want to delete it so that no emails can be received to it, and the sender would receive an undeliverable message. Is this possible?

    I want to delete my mobile me account not just from my iPhone but from existence. I want to delete it so that no emails can be received to it, and the sender would receive an undeliverable message. Is this possible?

    No, you can stop using the account, but you cannot delete it.

  • Mobile account users can not log on to the snow leopard server machine?

    Hi all,
    I've setup a network user and designated it as a mobile account. ** OS X 10.6.2 **
    When the user logs out of the snow leopard server machine, home sync tries to sync the local and network home directories. It is never able to connect. The network home directory is automounted and is not the default path /Users. I can see the two home directories on disk.
    Anyone else able to have their mobile users log in to the snow leopard server machine without issues?
    OS X 10.6.2 **

    It was the Sync server was down and did not know it

  • Screen sharing mobile account (open directory) not working

    Can anybody else verify that screen sharing, through Remote Management, does not work when trying to connect to mobile accounts on 10.7 Lion?
    Please note, when I say through Remote Management, I mean that under System Prefs->Sharing->Screen Sharing is disabled but Remote Management is enabled. (Remote Management being able to provide it's own screen sharing)
    Also I dont mean VNC... please make sure the "VNC viewers may control my screen with password" option is turned off under System Prefs->Sharing->Remote Management->Computer Settings

    I can confirm this. Same experience here on a 10.7.2 Mac.
    I get a "Please verify you have entered the correct name and password".
    Does this work on 10.6? I'm unable to check at the moment.

  • I recently had my account expire, and need to utilize the trial to finish a project. Even though my account says 'free trial' the applications will not open. How do I get the APP to recognize that I'm in trial and not expired?

    I recently had my account expire, and need to utilize the trial to finish a project. Even though my account says 'free trial' the applications will not open. How do I get the APP to recognize that I'm in trial and not expired?

    I had a year long CC membership that expired at the beginning of the October.
    After realizing that, I attempted to start a free trial of photoshop to work on a project. My Adobe account states that i'm on a trial, but my (Mac) dashboard CC app won't allow me to start the program. I have reinstalled both Creative Cloud and Photoshop CC but still get this message.

  • Mobile account managed preferences sync rules not applied

    Hello everyone!
    I am testing out mobile accounts and home sync on a few of the machines I have. My goal is too use mobile accounts as a way to backup small documents. I have many preference and Home sync rules applied to a group. All the machines I have added to this group seem to recognize these rules, but one machine does not. It is syncing folders and file types that I have excluded. I have checked the users managed preferences file and it appears to be correct, yet when I start a sync it does not appear to follow it's own managed preferences.
    One thing I should add is that these machines have been using plain old local accounts and I have been migrating them to mobile accounts using this method:
    http://www.macenterprise.org/articles/migratingalocalusertoanetworkuser
    This method seems to work great except for the fact that the users preferences like the dock don't appear to be carried over.

    Did you ever solve this? I have just started testing this in our office as well. It appears I have a machine that does not appear to obey the rules ether. I am also migrating local accounts to mobile accounts.

  • Mobile Account Login/Logout Sync Not Skipping Inputted Items

    I'm running a Leopard Server 10.5.6 Advanced Config ODM.
    No matter what I put into the Login & Logout Sync tab underneath "Skip items that match any of the following" it still syncs everything.
    I enter "ends with" ".mp3", "mp3" and it still syncs the test MP3s I put onto the desktop for the user.
    I ask it to not sync ~/Documents and it still syncs the test documents I put into that folder.
    This user is set to sync at login and logout with no background sync. The client machine is using 10.5.6.
    Merge with user's settings NOT checked
    Background Sync > Never
    Option > Never
    Account Creation > Creation
    Create mobile account when user logs in to network CHECKED
    Create home:
    with default sync settings: CHECKED

    Thanks for the reply.
    Under
    GROUP->PREFERENCES->MOBILE->RULES
    Login and Lougout Sync->Always
    Sync at login and logout->Checked
    Merge with user's settings->Not Checked and never has been.
    Unfortunately, that can't be it
    Here are some screen shots of my settings. As you can see Background sync is not enabled.
    Nevermind, it won't let me attach files.
    Message was edited by: jakelh

  • How do you setup a user mobile account, with the home directory stored locally and not synced to the server?

    I want to be able to setup a user mobile account, with the home directory stored locally and not synced to the server.  What is the best way to do this? I am running Server 10.6 with 10.6 clients.  Open Directory will be used to authenticate and manage preferences.   Also, this one account will be used simultaneosly in a computer lab setting, so files will be stored locally in the client, hence the need to NOT sync to the server.  Any Ideas? 

    currofelix wrote:
    So what does WGM Look like in the Home Tab? afp://servername.domainname/Users? or afp://Users?
    The attached screen shots should help you:
    You will only have to do this step once. Obviously you want to use the user's shortname here.
    Then, you will see this as an option in WGM:

  • Mobile Account will not sync

    I am having no end of problems syncing a mobile account.
    Have set up a mobile account on Server (10.5.7) and specified in WGM to sync a ~/Documents/Company folder where we'll create all our company documents. I went to client that was bound to server OD and tried to log onto the mobile account, but couldn't until I logged in with this mobile account on the server .. and then could only log onto the server after I created a home directory. But after mobile user account logged into server, I could then log into client and it shows as a "mobile" account.
    I put a few documents in the ~/Documents/Company folder and I expect on log off it would check the network home directory folder (there is ~/Documents/Company folder there too) and copy files to it. So I'd have a backup of these files.
    Nothing seems to sync.. that is the server folder never gets updated as I expect. I have AFP service on and I restarted it, but no luck..
    I have no idea where to begin troubleshooting this. I've read the Apple Server Management as well as any other docs I could find.
    Dave Crabbe
    Nova Scotia Community College

    Officially no. http://support.apple.com/kb/HT4929
    Though some alledge success https://discussions.apple.com/thread/3103493?start=30&tstart=0
    Good luck & let me know how you go.

  • Mobile account issues...

    Server and clients set up 2 years ago
    Clients are all Mobile accounts
    set up to forcibly create a local home directory in Users folder on each mac whenever one logs in for first time, syncing with network Homes folder on server. mobility is configured at computer group level
    As originally configured, I believe that login window displayed all personnel names as specified in Workgroup manager.
    1) Now it seems that on SOME macs, this behaviour continues , but on others, only those already having local accounts are displayed at login plus Other...Can't think why this has occurred.
    2) In addition to this, today I had to swap out a failing machine with one that was now spare but had been in use before.
    This mac mini had the limited usernames in login menu. Those in this list can log in and sync with network home. Variations then ensued...
    Randomly, two members of staff who used Other and enters Usernames and Passwords manually, we're recognised and logged in, but  a LOCAL account was not created for them...they were running from the Homes folder on the server
    3) In addition both myself and another colleague were completely locked out, we could enter credentials manually and our passwords were recognised ( "password will expire in  x days..." ) but then message popped up "xxxx xxxxxxxx could not be logged in at this time  An error has occurred"
    4) Intermittently  I get messages from staff who have "hot desked" at a site they infrequently visit. they login and are presented with a desktop displaying files that they deleted some time ago. On logging out (syncing at this point), they return to base to find that this Old desktop has now become their current desktop and  followed them back home. It's the intermittent nature that frustrates, it affects some staff on some satellite sites
    Can anyone explain these behaviours, please? And advise on remedy?
    (can see that in a large organisation, one would not want to scroll through entire staff listing to find Username like Warren Zevon, so can one force clients to display EITHER entire list of 40 staff members [OR only those who have logged in at this desktop and thus created a local account to sync with Network Homes folder])

    Today I created a local account for myself, this allowed me to log in.
    Not savvy enought to BIND to understand how to bind to OD. ..got lost in the 'forest'  window...
    On deleting this local account, I found that I could now login, but this was as a Network Managed account rather than Mobile managed... The Home Folder was the one residing on the server...
    How can I get mobile, managed account to be created on initial log in to the machine?
    I believe I have added this replacement to the Computer group that manages the << create mobile account when user logs into network account>> mobility setting but it just doesn't 'take'

Maybe you are looking for

  • How to connect Apple TV to analogue amplifer?

    Hi, I can use HDMI to connect 2nd gen Apple TV to my HDTV, but would like to use separate stereo speakers. These speakers are connected to an amplifier that only has analogue inputs (no digital optical or HDMI). What is the easiest workaround for thi

  • Error while editing Workflow Task List Item - "Sorry, something went wrong.. Web must contain a discussion list

    I have an custom approval workflow and when I try to edit an assigned  approval Task it throws me an error Sorry, something went wrong Web must contain a discussion list Any help appreciated! Pravs

  • How do I backup a large music library to two smaller drives?

    Does anyone know if it is possible to split a library in half, when backing up? I have an external 1000 gig lacie drive that is the home of my itunes media folder location. I also have two smaller lacie drives that put together could have enough spac

  • How to get the Capability of the Logged In User

    Hi All, I am trying to get the Capabilities of the logged in user, but iam only getting the capabilities of the "Configurator" irrespective of who has logged in. I am using the following code. <Field name='Capability'> <Display class='Label'/> <Defau

  • Hotlinks in pdf output

    Has anyone tried putting web links into pdf output thru output designer? We are gathering requirements and can't find any documentation on adobe output designer's ability to do this for pdfs.