Unable to create a specific Active Directory mobile Account

Similar Messages

• Active directory mobile accounts

  Hi,
  Just did a clean install of Lion, joined it to my active directory (Windows SBS 2003). No issues with this part...
  But when I log in as a domain user, I get:
  the home folder for user is not located in the usual place or cannot be accessed
  Strangely enough, if I turn off mobile account creation, it works, and /Users/domainuser is created. If I then turn back on mobile account creation I get the error again.
  Anybody else experience this? Any pointers on how to troubleshoot?

  WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
  I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
  - In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
  - Log out then back in as a networked user,  -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
  - Open Terminal
  --- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
  --- Type: ./createmobileaccount -n username
  The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
  This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• Active Directory Mobile Account not working

  Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
  If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
  However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
  Any ideas?
  Thanks!

  Abbas,
  You can find active directory synchronization option under PWA settings >> Operation Policies
  1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
  2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
  3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
  You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
  Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
  for more information in the ULS logs.
  Let us know the results.
  You can find more information on AD sync at
  http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
  Thank you,
  Kiran K.

• Creating users in Active Directory through LDAP connector

  Hello,
  If we need to create users in Active directory using LDAP connector, what are the options for the following:
  1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
  2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
  Regards,
  Ahmad

  Hello!
  I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
  Here is the posting again - sanitized this time.
  You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
  You can also perform group membership assignment in LDAP from SAP if needed.
  I have done this quite a few times at different companies that use SAP HCM.
  A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
  The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
  A job runs every 8 hours to perform delta updates in LDAP.
  The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR.

• Can FIM create OU in Active Directory

  Experts,
  Although I think answer must be YES but asking to confirm as I have not worked on FIM.
  Can FIM also create OU in Active Directory?
  Thanks,
  Mann

  Yes, you can either manage OUs separately or create them during user provisioning, given you set Hierarchical Provisioning up and running.
  That's almost OOTB behavior of AD MA

• Adobe Form that Creates Active Directory User Account

  Hello all!  Hopefully someone can help me with this.  I am using Adobe LiveCycle Designer ES 8.2 to create a user account request form.  I have the form created and now am working on a submit button that will email the form to the approving officials.  Once its emailed to the approving officials I would like to have a button available in which the approval person can select resulting in the creation of an Active Directory user account.  I need the fields in the form to populate cooresponding fields inside of Active Directory.  Current AD structure is on Server 2003.  Are there any ideas for how to accomplish this?

  I don't know. However, you might get a better or faster answer in the LiveCycle forum that deals with Designer.

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• How to create user in Active directory

  Hello,
  I'm trying to create a user in active directory via the following example:
  String userName = "cn=Jef Klak,ou=Ps Users,ou=Users,ou=Managed,dc=xxx,dc=local";
       Attributes attrs = new BasicAttributes(false);
       Attribute oc = new BasicAttribute("objectClass");
       oc.add("top");
       oc.add("person");
       oc.add("organizationalPerson");
       oc.add("user");
       attrs.put(oc);
            attrs.put("cn","Jef Klak");
            attrs.put("giveName","Jef");
            attrs.put("sn","Klak");
            attrs.put("displayName","Klak, Jef");
            attrs.put("description","IR");
            attrs.put("userPrincipalName","[email protected]");
            attrs.put("mail","[email protected]");
            attrs.put("company", "XXX");
            attrs.put("sAMAccountName","jk666");
  attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_DONT_EXPIRE_PASSWD+ UF_ACCOUNTDISABLE));
            Context result = fctx.createSubcontext(userName, attrs);
  As a result I'm getting the following error:
  javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
  remaining name 'cn=Jef Klak,ou=Ps Users,ou=Users,ou=Managed,dc=xxx,dc=local'
  Anybody any tips or advice on this one? Or maybe a working examples how to add users in AD?
  Listing entries in the AD is no problem, so it's only adding them.
  Many thanks,
  Filip                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

            attrs.put("giveName","Jef");
  javax.naming.directory.NoSuchAttributeExceptionSpelling error.

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Unable to login with an Active Directory account on 10.6.7

  I just got a Mac Airbook and I'm trying to connect with my AD account. I was able to bind my computer to the domain succesfully but when I try and logon with my AD account I get the shakes. I verified my binding with the green light next to "Network Account Server". I asked some admins who have older macs and they guided me through the settings but it still doesn't work for me. The only thing that shows up in the logs when I attempt to login is "Active Directory could not find GUID for DOMAIN\domain to update admin group". And yes, my local user is different than my AD user.
  Any ideas?

  Not for me. Some things mount others do not. Plus you can't use links from e-mails or save to from applications. It makes most applications completely unuse-able for me. It looks like I'm going to have to run almost everything over Parallels. Kind of of lame that Mac can't get this fixed.

• Unable to create the portable home directory for this user

  This is driving me nuts!
  I have a network user who I can login to on any machine on the network. I want a PHD to be created on a laptop and eveytime I answer 'yes' to 'create PHD for this user' I get the "unable to create the PHD for this user" message.
  What am I doing wrong?

  I fixed this by unbinding the laptop from the od server as I had used this user previously for PHD's on this machine. Setting up the machine to bind to OD again and all is well.

• Creating a simulated Active directory

  Hi all,
  I am studying IDM now and doing some exercises, one of them include making a simulated file of an AD, but it doesn't work like an Active directory at all.
  I installed the gateway but didn't see how can I connect a simulated file to the gateway. and when I try to use cn=.... and so on, I simply get the string as the userid which prevents me from using it to seed the users with the other simulated files.
  How can I simulate an AD or what should I set so the cn=.... string will work correctly.

  Well I made an oraganization called XYZCompany.
  And then connected the AD simulated resource to an xml file using the following:
  cn=$login$,ou=$division$,ou=$department$,dc=$xyzcompany,dc=com
  when I did a full reconcile on IDM 6 it didn't put the user accounts into XYZCompany, it put them in top and with a user name as long as the string above. Did excatly the same with IDM 5 and it inserted the login name into the XYZCompany organization and I could work with it.

• Unable to create a user home directory ?

  When I use root to create a new account, it can not create a default home directory for this user .
  This problem will also cause a lot of other problems when using non-root account to login in.
  $ ssh [email protected]
  Password:
  Last login: Mon Jul 7 10:13:42 2008 from 10.250.X.X
  Could not chdir to home directory /home/admin: No such file or directory
  Sun Microsystems Inc. SunOS 5.10 Generic January 2005
  what's the problem ?

  chances are its the automounter. check /etc/auto_master. it by default includes /home as a mount point for the automount process. if you dont need the automount for /home, comment that line out, save the file, and run automount -v (-v for verbose output). you should then be able to create dirs under /home. or, you could use a diff home dir prefix, or use the automounter (this will take some setup).

• Password Sync from Active Directory Locking Accounts

  Hello,
  We recently set up Active Directory as a resource and are synching passwords. We are using IDM 7.1.1.11. We are noticing that when actions in IDM push the password out to AD, and they sync comes back to IDM, the sync workflow is locking up the account, before the original IDM action completes. For example, when an admin resets a users password, they see several error messages stating that the account is locked by the account that authenticates through the password sync utility. They also see succesful password reset messages, but I would like it if they didn't see errors saying the account is locked. We are using a direct connection between the Password Sync util and IDM. Has anyone ran into this? Any advice on overcoming it?
  Thanks.
  Jim

  I opened a support case with Sun about this issue, and they recommended logging a trace file for com.waveset.adapter.ActiveDirectoryActiveSyncAdapter. While the tracefile does not seem to contain any useful information, the simple fact that there is tracing going on for it now seems to be easing the situation. In my test environment I saw occurrences of this locking problem drop by 90-95% simply by turning the tracing on. I started tracing in production in the hopes that it will at least lessen the occurances of this.
  Sounds like we are taking the same approach Raj, the problem I've been having with it is getting it to happen will I'm debugging our reset password workflow. I want to make sure I add the locking check in the right place, so I was attempting to determine which area to check for it.
  I'll be sure to keep the thread updated if anything changes on our end.
  Jim