Retroactively create mobile account at login?
Hi all,
With one laptop configuration, after binding to AD, I overlooked the "create mobile account at login". This resulted in the main user of this laptop being able to authenticate only if they're connected to the LAN.
How could one retroactively allow an AD account to be mobile once it's created? The obvious step of checking the proper enable box does not retroactively change the mobile status of an existing account.
I learned that I'd misunderstood the problem- it was that no network accounts could authenticate on this machine, and the only way the main user could authenticate was to go off the LAN, not on.
It was a clock time skew. I discovered it while trying to unbind from AD, and got an error regarding time. AD was disallowing network logins to the machine, and it was only the mobile account that was working.
Similar Messages
-
10.5.3: Can't Create Mobile Account
I have a MacBook Pro that authenticates to Active Directory.
When I try to create a Mobile Account
[ System Preferences --> Accounts --> Mobile Accounts:Create ]
I get prompted to
"*Enter your password to create a mobile account*"
However, it does not accept the password, responding with
"*Incorrect password*"
After three attempts, I get
"*Mobile account creation canceled*"
and then logged off.
I've tried both my Active Directory account password, and the local administrator password. Neither work.
At least I can get that far; in 10.5.2, the Mobile Account:Create button was greyed out.
Is anyone else having the same problem? Is there a fix for this?
I'm going to be out of the office next week for a conference, and would really like to get this working before then.
UPDATE: When trying to enable FileVault for my A.D. account, I get the following message:
*You cannot turn on FileVault for this account.*
*This account is either a network account or the home folder is on a server. You cannot turn on FileVault for these types of accounts.*
This makes this problem more than a minor annoyance, as my company policy -- and plain common sense -- requires encryption enabled for laptops.
Message was edited by: Robert RacanskyHi Robert
On the Active Directory Server SMB Digital Signing Requirements (there are two: Server and Client) need to be disabled. It's not enough to leave them undefined. Once that has been done make sure client clocks are within 5 minutes of the server's time clock. In the Network Preferences Pane make sure the mac is using the AD DC for resolving internal DNS Services and the Search Domain field is filled in with the appropriate AD Domain Name. It's also advisable to fill in the WINS Tab with the relevant information for the AD..
Launch Directory Utility and select the Services Icon (click Show Advanced Options to see this). Select the Active Directory plug-in and click the disclosure triangle to show Advanced Options. Leave everything as the default and select 'Create Mobile Account at Login'. Fill in the Active Directory Domain field with the relevant information. For example if the AD's FQDN is adserver.addomain.com then the information should be addomain.com. Now click Bind. In the resulting window key in authentication details for an account that has authority for the AD Domain. Typically this would be the AD admin account name and password. What follows next will be a 5 step process. Depending on how well the AD has been configured this should take anything from 5-10 seconds and possibly 1-2 minutes. If it takes a short time this will be a good sign as to the 'health' of internal DNS Services as well as the AD configuration. The longer it takes the more the likelihood of problems.
By the way there is no magic fix for integrating/binding mac clients to an AD Server. Over 90% of how well this goes will rest with how well the AD is configured.
If the bind has been successful you should see a Kerberos TGT (ticket granting ticket) has been created in /Library/Preferences. It will be a file called edu.mit.Kerberos. You can inspect this and it should show the relevant details regarding the KDC (Kerberos Distribution Center). If you now log out you should see the Log in window display the local admin user as well 'Other'. It should look like a shadowed head and shoulders in front of a star field. Select this and supply your AD name and password. Provided the AD admin has defined a UNC path in the Profiles tab for your account on the AD Server for home folder creation and that you have full read/write privileges for that folder then you should be logging into your locally created home folder that also gets created at the same time on the AD.
Its best if you sync when logging out as there have been problems syncing at other times. Mileage may vary.
Hope this helps, Tony -
Users unable to create Mobile Accounts
Good afternoon.
I have an interesting problem with the creation of Mobile Accounts.
We have a Computer Group with its Preferences set to allow the creation of Mobile Accounts & Portable Home Directories; with due consideration given to what to synchronise and what not to. The iBooks & Mac Books in this group are all used by one staff member only. They are all running 10.4.7 and have 256 or 512 MB RAM.
The first two laptops added to the list allowed their users to create Mobile Accounts & PHDs no problem, and they continue to work. But any other machines I add to the group refuse to allow the creation of a Mobile Account. It seems that Workgroup Manager does no pass on their changed Preferences during subsequent logons. I have tested this by renaming a laptop at its entry in the group and seeing if the name is changed on the machine at the next login. It is not, but stepping through the machine’s settings at the logon display does give me a green light for network availability.
I can create a Mobile Account on a machine by logging on as a user and amending their account Preferences, but this does not provide the same degree of flexibility in configuring synchronisation settings.
Has anyone else seen this problem please?
Brian Bowell ICT Support
[email protected]
Tel: 07 856 6537
Fax: 07 856 6588-- -The problem was an error in naming the computer group. Renaming it solved the problem.
-
10.4.11 - Can't create mobile account
I reimaged one of our powerbook G4 laptops and ran S/W update getting it to version 10.4.11. After rebooting I could not create an Active Directory mobile user account. Tried all the normal things - repair permissions, rebind to AD and reboot, even trashed the edu.mit.kerberos file and all plists in /Library/Preferences/DirectoryService and rebind from scratch. I probably trashed the mcx settings in NetInfo Mgr, but I don't recall for sure. Also the 'ol reset-nvram and reset-all in OpenFirmware. Nothing helped - kept getting the "can't login, users home folder is on an AFP or SMB share". When I logged in as my local admin user, I could connect to the homefolder path using the mobile-user's credentials (with Kerberos).
My solution was to reimage the laptop again (ver 10.4.10), bind to AD & reboot, create the mobile account and then run S/W update to 10.4.11.
I'm not really looking for a solution here, just a warning to people that you may not want to create images at 10.4.11 if you use mobile accounts. I plan on using my 10.4.10 images for the time being.
Ta ta,
JHL
P.S. I haven't tried this yet on our iBooks, eMacs or iMacs.Similar issue...
Updated an iBook G4 today to 10.4.11. After reboot it logged in with a Network Account (not mobile account this time - AD set to not create mobile account and to not create local home). I unbound from AD, rebooted and created a NetRestore image. Rebound to AD, set the Authentication order and rebooted. Now the network account wouldn't login - gives the Can't login now, homefolder on an AFP or SMB server error. (homefolders, sharepoints and permissions just fine.)
Now for the strange part... I got sidetracked for about a half hour, then I went back to the iBook and the Network account was able to login again. After several unbinding/reboot/rebinding/reboot processes, I narrowed it down to it takes about 11 or 12 minutes after binding to AD for the network account to login properly.
I had another tech install the 10.4.11 update on an eMac and the logins worked ok. But when I had him unbind/reboot/rebind/reboot, he had the same 11 to 12 minutes before a network account can login (same error.)
Now for another strange part... he tried unbind/rebind again, but left AD 3rd in the Authentication order (after NetInfo and LDAP for OpenDir). The network account could login right away - these are AD useraccts.
In my experience since 10.3, I've always had to put AD before LDAP/OD in the authentication order for the user-acct to authenticate name/password to Active Directory properly. I plan on trying this with the iBook tomorrow.
My homefolders for these accounts are on x-server running 10.4.10 (haven't been brave enough to update the servers yet.)
Has anyone else experienced these 10.4.11 anomolies with network or moble accounts? Either with 10.4.10 or 10.4.11 servers? -
"Grouped" user cannot create Mobile account
Hello
Leopard Server 10.5.4 and Leopard client 10.5.4.
In Server, we have a group of users called Group1. In this group we have a user called User1. When we try to create a mobile account, prompts for password, and then "There was an error creating mobile account" appears.
When we try to create Mobile account for any user outside any group we have no problem.
The Mobility prefs are the same in the Group1 and in the account outside the group.
Any help appreciated.
K.Look in the system log for clues.
Also you can turn on ManagedClient logging from Terminal this way:
sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
Then reproduce the problem. The log will be here:
/Library/Logs/ManagedClient/ManagedClient.log
Remove /Library/Preferences/com.apple.MCXDebug.plist to stop logging (and increase performance).
And please file a bug with Apple. -
I have to admit that I'm new to OS X server and what should have been simple isn't proving to be that way. I have managed to get one of my client laptops authenticating but now when I go to create a mobile account it works for some users but not for mine - I suspect this is because of a clash of names on the host laptop. Is this correct and how can I fix it?
Look in the system log for clues.
Also you can turn on ManagedClient logging from Terminal this way:
sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
Then reproduce the problem. The log will be here:
/Library/Logs/ManagedClient/ManagedClient.log
Remove /Library/Preferences/com.apple.MCXDebug.plist to stop logging (and increase performance).
And please file a bug with Apple. -
How to create Itune account to login Apple store without visa card in Vietnam?
I live in Vietnam. current in Vietnam is still popular purchases in cash when paying by credit card is very small. so I can not create an account for Itunes to sync some videos and documents with my ipad. Can you help me?
Read through the link here >>> http://support.apple.com/kb/HT2534
It should solve your problem. -
How can I create a mobile account in Mountain Lion?
Dear All,
I have a problem creating a mobile account while joining an Active Directory domain controller (DC).
** Case one: While joining the DC, if these options are selected (Create mobile account at login) & (Force local home directory on startup disk), the home directory can not be created at all.
So, how can case one be solved?
** Case two: While joining the DC, if (Creat mobile account at login) is not selected, and (Force local home directory on startup disk) is selected, home directory can be creatded, but not as mobile account.
So, After creating the home directory, I can go to make it mobile account from Users & Groups/Active Directory user and choose mobile account.
after creating mobile account, the user loged out and then loged in back again. from here Mobile account botton is disabled and I can not manage it.
So, How can the bold underline part of case two be solved?
Note: Active directory used is Windows Server 2008.
Regards,
Abdelaal,What is a "fax dialog"?
This dialog, or something closely resembling it, is what you should see:
Clicking Print sends the fax.
It is possible Acrobat is interfering with something, in which case you should get rid of it, unless you know of a reason to require it. -
Active directory mobile accounts
Hi,
Just did a clean install of Lion, joined it to my active directory (Windows SBS 2003). No issues with this part...
But when I log in as a domain user, I get:
the home folder for user is not located in the usual place or cannot be accessed
Strangely enough, if I turn off mobile account creation, it works, and /Users/domainuser is created. If I then turn back on mobile account creation I get the error again.
Anybody else experience this? Any pointers on how to troubleshoot?WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
- In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
- Log out then back in as a networked user, -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
- Open Terminal
--- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
--- Type: ./createmobileaccount -n username
The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot. -
AD mobile account stores Mac user profile in Windows home directory
My Windows Server 2003 AD accounts have roaming profiles and user home directories stored in different locations on Windows Server 2003 servers. How do I prevent my MacOS tiger clients from copying the local user profiles for AD mobile accounts to the respective remote home directories?
This unwanted behavior is quite similar to using Windows 9x clients in similar AD environment.I do need to automount the network home directory but do not desire to have it sync with the local home directoy. I disabled the "create mobile account at login" option and enabled "force local home directory on startup disk" and "use unc path from active directory ..." and these appear to have resolved the problem. Unfortunately the network home directory no longer automounts, nor do network accounts show up at the logon prompt (strangely enough, they can be configured to autologin.)
-
Mobile Account Login/Logout Sync Not Skipping Inputted Items
I'm running a Leopard Server 10.5.6 Advanced Config ODM.
No matter what I put into the Login & Logout Sync tab underneath "Skip items that match any of the following" it still syncs everything.
I enter "ends with" ".mp3", "mp3" and it still syncs the test MP3s I put onto the desktop for the user.
I ask it to not sync ~/Documents and it still syncs the test documents I put into that folder.
This user is set to sync at login and logout with no background sync. The client machine is using 10.5.6.
Merge with user's settings NOT checked
Background Sync > Never
Option > Never
Account Creation > Creation
Create mobile account when user logs in to network CHECKED
Create home:
with default sync settings: CHECKEDThanks for the reply.
Under
GROUP->PREFERENCES->MOBILE->RULES
Login and Lougout Sync->Always
Sync at login and logout->Checked
Merge with user's settings->Not Checked and never has been.
Unfortunately, that can't be it
Here are some screen shots of my settings. As you can see Background sync is not enabled.
Nevermind, it won't let me attach files.
Message was edited by: jakelh -
Deleted items reappear on mobile account with syncing?
On a mobile account with syncing, deleted items will reappear after syncing. One can manually do a full sync. Then delete stuff. Then do a full manual sync again and the deleted items are back.
This is on Leopard 10.5.6 client and Leopard 10.5.6 server.
Open to ideas one what I ought to look at.
Best Wishes,
PaulPaul,
I'm happy I'm not alone (sorry..)
I have exactly the same problem, although I'm using Linux server, not OSX.
It all worked nicely until 10.5.6 upgrade, after that I'm having lots of home sync problems, including:
1. locally deleted items re-appear after sync
2. a lot of sync conflicts, specially when sync cannot resolve latest file or directory version between mobile and network copy (and mobile copy will be always the latest one)
3. huge syncs even if no data has been modified, ie:
I'm syncing all on login and logout, background sync is disabled.
I do login then straight away logout, so practically no data has been modified, but the sync may show me tens of GB being transferred.
Now, this is weird: I've done tests on a freshly created mobile account, with approx 50MB of data. Basically I've logged in and out repeatedly, sometimes modifying small files. Some of the syncs showed me transfer of 60MB!!! That's 10MB more than the size of the home directory!
I've looked through release notes for 10.5.6 and some sync issues were 'fixed'. I'm wondering if other ones were introduced...
As I've said, it all worked perfectly until the latest update - I have many machines behaving in the same, bad way.
Perhaps someone has a solution?
Thanks,
Pawel -
We have a Leopard XServe 10.5.8 and a Client running Snow Leopard 10.6.2. I have just instituted via WGM the policy to create a mobile account on login and to protect the home folder with FileVault. The error I am getting is "Unable to Create mobile account" "Your FileVault home can't be created because a folder with the same name already exists" What am I doing wrong? Is this not possible? Do I need to do it is phases?
Is the user name already in use locally? If so use a different user name on the server and then login and move documents from old local account to an external drive and then re-login to new account on server and copy documents over to new server account. You might have to run the chown command on the contents of the copied over documents: sudo chown -R user /networkuser/copiedfolder and then enter the local admin password. -R is for recursive so it will do it to all files within that folder.
Now a situation that I just ran into was I already had the network account which was a mobile account, but I wanted to promote it to have the File Vault added to it. Well I enabled it within WGM, but it did not apply the settings on the computer that I was logging into. So I logged into the admin account on the computer and deleted the network user in the system preferences users pane. Then logged out and re-logged back in as the new OD File Vault encrypted account it asked me to create local account and I did and it resynced all my files from the server back to the local computer. I am running 10.6.3 OD Server and 10.5.8 clients. Hope this helps. -
Server and clients set up 2 years ago
Clients are all Mobile accounts
set up to forcibly create a local home directory in Users folder on each mac whenever one logs in for first time, syncing with network Homes folder on server. mobility is configured at computer group level
As originally configured, I believe that login window displayed all personnel names as specified in Workgroup manager.
1) Now it seems that on SOME macs, this behaviour continues , but on others, only those already having local accounts are displayed at login plus Other...Can't think why this has occurred.
2) In addition to this, today I had to swap out a failing machine with one that was now spare but had been in use before.
This mac mini had the limited usernames in login menu. Those in this list can log in and sync with network home. Variations then ensued...
Randomly, two members of staff who used Other and enters Usernames and Passwords manually, we're recognised and logged in, but a LOCAL account was not created for them...they were running from the Homes folder on the server
3) In addition both myself and another colleague were completely locked out, we could enter credentials manually and our passwords were recognised ( "password will expire in x days..." ) but then message popped up "xxxx xxxxxxxx could not be logged in at this time An error has occurred"
4) Intermittently I get messages from staff who have "hot desked" at a site they infrequently visit. they login and are presented with a desktop displaying files that they deleted some time ago. On logging out (syncing at this point), they return to base to find that this Old desktop has now become their current desktop and followed them back home. It's the intermittent nature that frustrates, it affects some staff on some satellite sites
Can anyone explain these behaviours, please? And advise on remedy?
(can see that in a large organisation, one would not want to scroll through entire staff listing to find Username like Warren Zevon, so can one force clients to display EITHER entire list of 40 staff members [OR only those who have logged in at this desktop and thus created a local account to sync with Network Homes folder])Today I created a local account for myself, this allowed me to log in.
Not savvy enought to BIND to understand how to bind to OD. ..got lost in the 'forest' window...
On deleting this local account, I found that I could now login, but this was as a Network Managed account rather than Mobile managed... The Home Folder was the one residing on the server...
How can I get mobile, managed account to be created on initial log in to the machine?
I believe I have added this replacement to the Computer group that manages the << create mobile account when user logs into network account>> mobility setting but it just doesn't 'take' -
Mobile account creation has different result...
Created managed preference group:
- Finder: Show connected servers on Desktop
- Mobility: Set to create Mobile account, synching off, HomeFolder on startup volume.
- Login: Maps three SMB paths to Windows Server folders
- Active Directory: UNC path set in user's Active Directory profile to Home Folder on Windows Server
There are two different conditions that give different results:
(1) User logs on to a particular Mac once (using AD network account), prior to applying managed preferences. User is not member of preference group. Mac creates full set of User Account folders in user's home. Then user's name is applied to preference group, and user logs on.
(2) User's name applied to preference group, prior to logging on to a particular Mac. User logs in using AD network account.
Results: With condition (1), User gets a full set of typical folders in local home folder, UNC network home folder is mapped to dock - the two Home folders (local and network) are kept separated, all works as anticipated.
With condition (2), user does not consistently get full set of folders in local home folder, UNC network home folder is mapped to dock - and local "Library/Preferences" and "Downloads" is copied into network home. Occasionally, user's AD account gets locked out due to too many failures while attempting to access folders.
I would greatly appreciate anyone who can lead me to understand this.
Thank you...DavidThe usual approach with Open Directory is to either use Workgroup Manager to define a managed login preference for a computer group to define that those member computers should cause the use of mobile accounts on those computers, or to do the same thing via Profile Manager.
Note: If you are using Mavericks you must use Profile Manager as it does not support this via Workgroup Manager managed preferences.
This will not require users to need admin authorisation.
Maybe you are looking for
-
[Solved] Xorg Macbook Pro 4,1 Errors
Hello everyone. It's my first time here and I've come with issues that I was hoping to get some help with. After finally getting Arch onto my Macbook Pro 4,1 (Early 2008), I'm stumped with Xorg. For reference, after logging in the first time and sett
-
Cannot get Satellite L675D to complete restore
I have been having problems for about 6 weeks with what seemed like a problem of something stepping on something else in memory. I could never find anything in the event log so my assumption has been that the laptop locks before the error can be writ
-
Error in Oracle Exadata Essentials Exam - (1Z0-536)
I recently took the Oracle Exadata Essentials Exam. There is an error in one of the questions where you are asked to pick two correct answers yet three of the answers are correct. If the owner/maintainer of the exam would like to contact me at [email
-
hello, i tried to update the to the ios 7.04 and the iphone just stuck and he is not turning on anymore and my computer didnt recugnize him, what should i do?
-
We had a tablespace and maxsize of it was specified as 'unlimited'. It has single datafile. While creating index we are getting error 'unable to xtend tablespace.....'(ORA-01652). Do we have to specify the maxsize while creating datafile also? Regard