Users unable to create Mobile Accounts

Similar Messages

• "Grouped" user cannot create Mobile account

  Hello
  Leopard Server 10.5.4 and Leopard client 10.5.4.
  In Server, we have a group of users called Group1. In this group we have a user called User1. When we try to create a mobile account, prompts for password, and then "There was an error creating mobile account" appears.
  When we try to create Mobile account for any user outside any group we have no problem.
  The Mobility prefs are the same in the Group1 and in the account outside the group.
  Any help appreciated.
  K.

  Look in the system log for clues.
  Also you can turn on ManagedClient logging from Terminal this way:
  sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
  Then reproduce the problem. The log will be here:
  /Library/Logs/ManagedClient/ManagedClient.log
  Remove /Library/Preferences/com.apple.MCXDebug.plist to stop logging (and increase performance).
  And please file a bug with Apple.

• 2008 Failover cluster unable to create computer account

  Hello,
  I have created a 2008 R2 Failover cluster and I am trying to add a Fail over File server to this.
  I get the dreaded
  Cluster network name resource 'OfMaClusterFS' failed to create its associated computer object in domain 'xxx.domain' for the following reason: Unable to create computer account.
  The text for the associated error code is: Access is denied.
  Please work with your domain administrator to ensure that:
  - The cluster identity 'OFMACLUSTER$' can create computer objects. By default all computer objects are created in the 'Computers' container; consult the domain administrator if this location has been changed.
  - The quota for computer objects has not been reached.
  - If there is an existing computer object, verify the Cluster Identity 'OFMACLUSTER$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.
  I have created clusters frequently in the past, on my own Domains that I am a domain admin of.  Now I am trying to make one on our larger corporate domain that I am not a domain admin of and get this error.
  By default, domain users can not add computer accounts to our domain.  I do however have an limited account that can add computers to the domain... but I have tried all the tricks I can think of to try and add the Network name to AD and no luck.#
  I have tried running the cluster service with this account, but it is still trying to use the OFMACLUSTER$ identity to create the Network name.  I have tried manually creating the network name using my limited account, but that doesn't work either,
  same error.  I don't have the ability to change permissions on the computer name I added for the network name to AD.
  I have raised a ticket to our wintel team to try and get them to help, but they aren't exactly the most responsive bunch.  I'm just wondering what the best way around this problem is if I am not a domain admin and I can't make the changes I need, or
  what concise instructions I can give to the domain admins so that they can help me out without saying that it is a security breach etc.
  I would appreciate any advice on this as it's now urgent and also something I will have to do in the future fairly regularly and don't want to get caught in the situation in the future.

  Hi jogdial,
  To create a cluster, the minimum permission is: Requires administrative permissions on the servers that will become cluster nodes. Also requires
  Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain.
  If you create the cluster name account (cluster name object) before creating the cluster—that is, prestage the account—you must give it the
  Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain. You must also disable the account, and give
  Full Control of it to the account that will be used by the administrator who installs the cluster.
  The related KB:
  Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory
  http://technet.microsoft.com/en-us/library/cc731002(v=ws.10).aspx
  More information:
  How to Create a Cluster in a Restrictive Active Directory Environment
  http://blogs.msdn.com/b/clustering/archive/2012/03/30/10289577.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• 10.4.11 - Can't create mobile account

  I reimaged one of our powerbook G4 laptops and ran S/W update getting it to version 10.4.11. After rebooting I could not create an Active Directory mobile user account. Tried all the normal things - repair permissions, rebind to AD and reboot, even trashed the edu.mit.kerberos file and all plists in /Library/Preferences/DirectoryService and rebind from scratch. I probably trashed the mcx settings in NetInfo Mgr, but I don't recall for sure. Also the 'ol reset-nvram and reset-all in OpenFirmware. Nothing helped - kept getting the "can't login, users home folder is on an AFP or SMB share". When I logged in as my local admin user, I could connect to the homefolder path using the mobile-user's credentials (with Kerberos).
  My solution was to reimage the laptop again (ver 10.4.10), bind to AD & reboot, create the mobile account and then run S/W update to 10.4.11.
  I'm not really looking for a solution here, just a warning to people that you may not want to create images at 10.4.11 if you use mobile accounts. I plan on using my 10.4.10 images for the time being.
  Ta ta,
  JHL
  P.S. I haven't tried this yet on our iBooks, eMacs or iMacs.

  Similar issue...
  Updated an iBook G4 today to 10.4.11. After reboot it logged in with a Network Account (not mobile account this time - AD set to not create mobile account and to not create local home). I unbound from AD, rebooted and created a NetRestore image. Rebound to AD, set the Authentication order and rebooted. Now the network account wouldn't login - gives the Can't login now, homefolder on an AFP or SMB server error. (homefolders, sharepoints and permissions just fine.)
  Now for the strange part... I got sidetracked for about a half hour, then I went back to the iBook and the Network account was able to login again. After several unbinding/reboot/rebinding/reboot processes, I narrowed it down to it takes about 11 or 12 minutes after binding to AD for the network account to login properly.
  I had another tech install the 10.4.11 update on an eMac and the logins worked ok. But when I had him unbind/reboot/rebind/reboot, he had the same 11 to 12 minutes before a network account can login (same error.)
  Now for another strange part... he tried unbind/rebind again, but left AD 3rd in the Authentication order (after NetInfo and LDAP for OpenDir). The network account could login right away - these are AD useraccts.
  In my experience since 10.3, I've always had to put AD before LDAP/OD in the authentication order for the user-acct to authenticate name/password to Active Directory properly. I plan on trying this with the iBook tomorrow.
  My homefolders for these accounts are on x-server running 10.4.10 (haven't been brave enough to update the servers yet.)
  Has anyone else experienced these 10.4.11 anomolies with network or moble accounts? Either with 10.4.10 or 10.4.11 servers?

• 10.5.3:  Can't Create  Mobile Account

  I have a MacBook Pro that authenticates to Active Directory.
  When I try to create a Mobile Account
  [ System Preferences --> Accounts --> Mobile Accounts:Create ]
  I get prompted to
  "*Enter your password to create a mobile account*"
  However, it does not accept the password, responding with
  "*Incorrect password*"
  After three attempts, I get
  "*Mobile account creation canceled*"
  and then logged off.
  I've tried both my Active Directory account password, and the local administrator password. Neither work.
  At least I can get that far; in 10.5.2, the Mobile Account:Create button was greyed out.
  Is anyone else having the same problem? Is there a fix for this?
  I'm going to be out of the office next week for a conference, and would really like to get this working before then.
  UPDATE: When trying to enable FileVault for my A.D. account, I get the following message:
  *You cannot turn on FileVault for this account.*
  *This account is either a network account or the home folder is on a server. You cannot turn on FileVault for these types of accounts.*
  This makes this problem more than a minor annoyance, as my company policy -- and plain common sense -- requires encryption enabled for laptops.
  Message was edited by: Robert Racansky

  Hi Robert
  On the Active Directory Server SMB Digital Signing Requirements (there are two: Server and Client) need to be disabled. It's not enough to leave them undefined. Once that has been done make sure client clocks are within 5 minutes of the server's time clock. In the Network Preferences Pane make sure the mac is using the AD DC for resolving internal DNS Services and the Search Domain field is filled in with the appropriate AD Domain Name. It's also advisable to fill in the WINS Tab with the relevant information for the AD..
  Launch Directory Utility and select the Services Icon (click Show Advanced Options to see this). Select the Active Directory plug-in and click the disclosure triangle to show Advanced Options. Leave everything as the default and select 'Create Mobile Account at Login'. Fill in the Active Directory Domain field with the relevant information. For example if the AD's FQDN is adserver.addomain.com then the information should be addomain.com. Now click Bind. In the resulting window key in authentication details for an account that has authority for the AD Domain. Typically this would be the AD admin account name and password. What follows next will be a 5 step process. Depending on how well the AD has been configured this should take anything from 5-10 seconds and possibly 1-2 minutes. If it takes a short time this will be a good sign as to the 'health' of internal DNS Services as well as the AD configuration. The longer it takes the more the likelihood of problems.
  By the way there is no magic fix for integrating/binding mac clients to an AD Server. Over 90% of how well this goes will rest with how well the AD is configured.
  If the bind has been successful you should see a Kerberos TGT (ticket granting ticket) has been created in /Library/Preferences. It will be a file called edu.mit.Kerberos. You can inspect this and it should show the relevant details regarding the KDC (Kerberos Distribution Center). If you now log out you should see the Log in window display the local admin user as well 'Other'. It should look like a shadowed head and shoulders in front of a star field. Select this and supply your AD name and password. Provided the AD admin has defined a UNC path in the Profiles tab for your account on the AD Server for home folder creation and that you have full read/write privileges for that folder then you should be logging into your locally created home folder that also gets created at the same time on the AD.
  Its best if you sync when logging out as there have been problems syncing at other times. Mileage may vary.
  Hope this helps, Tony

• Retroactively create mobile account at login?

  Hi all,
  With one laptop configuration, after binding to AD, I overlooked the "create mobile account at login". This resulted in the main user of this laptop being able to authenticate only if they're connected to the LAN.
  How could one retroactively allow an AD account to be mobile once it's created? The obvious step of checking the proper enable box does not retroactively change the mobile status of an existing account.

  I learned that I'd misunderstood the problem- it was that no network accounts could authenticate on this machine, and the only way the main user could authenticate was to go off the LAN, not on.
  It was a clock time skew. I discovered it while trying to unbind from AD, and got an error regarding time. AD was disallowing network logins to the machine, and it was only the mobile account that was working.

• Unable to create webOS account to set up HP Touchpad

  Alright, so I got my Touchpad Saturday, and tried to set it up the day after.  So in order to actually use it, you have to create a webOS account, but every time I try, I get the error "We are unable to create an account for you.  Please try again in a few minutes or contact HP for help resolving this problem.  Visit palm.com/support for more information."  I tried countless times, still getting the same error, even after starting the setup process over, restarting the touchpad and my router, trying different wireless connections, trying it at different times during the day, as well as changing the security question, password and email to see if that had an effect.  I have tried going to the site suggested and trying to chat online with them, as well as calling them, but they were busy, so I was hoping I could find an answer here.
  Post relates to: HP TouchPad (WiFi)
  This question was solved.
  View Solution.

  I too am having the same problems and can't get the WebOS Doctor because I don't have the palm account. There has to be a way to download the doc without an account.

• Unable to create Contract account

  I am unable to create contract account. I am getting the error message as "Key selection not defined for application R company code List of budget billing proceuders(R301)"
  How to go further?

  Hi, Jack
  Did you go to the path I indicated? In there, for each company code, you need to maintain which budget billing procedures you allow.
  0 means no BB procedure.
  SAP says:
  "If you enter 1 (statistical procedure), budget billing requests are managed as statistical items in the Contract Accounts Receivable and Payable (FI-CA) component and do not affect the general ledger.
  If you enter 2 (debit entry procedure), budget billing requests are posted as partial bills.
  If you enter 3 (payment plan procedure), the budget billing amount is requested as the new bill amount instead of the bill amount determined by billing and invoicing. The difference between the actual bill amount and the payment plan amount is managed in a special item. This procedure is used for monthly billing.
  If you enter 4 (payment scheme procedure), the bill amount is integrated into the budget billing plan. The bill can no longer be paid separately. The budget billing requests are posted as statistical items in the same way to the installment plan.
  If you enter 5 (down payment request plan), a special payment plan is created for industry customers. This plan is suitable for industry customers with monthly periods as the down payment plan for the month after next. To use this procedure, establish the settings in Customizing."
  After that, you need to maintain all the activities related to the BB procedures you want to use, in SAP Utilities / Invoicing / Budget Billing Plan. Check all activities and see what you need to customize.

• Unable to activate mobile account

  Hi, I am in a dead end.
  I am trying to settup mobile account on 10.8 Server, with 10.8 clients.
  So far, I got my Open Directory seted up server.name.private
  I created a new user in the Users tab, named test
  The Home Folder is setted up for my Homes folder, which is on a secondary hard drive.
  This file is shared with File Sharing, and have read/write permission for the group of my user.
  If I check the folder permission in the Finder, it is strange, but I don't know how to clean them. Each group is there two times, and they have Custom privilege
  With Workgroup Manager, I selected my user, went to the Preferences tab, and setted up the Mobility section.
  The options for Account Creation are Manage: Always, Account Expiry are Manage: Never and under Rules, Home Sync, I selected Once.
  On the client side, I activated the mobile account option, and entered the Open Directory adress.
  And when I log in, I put my info test/password, and the message You are unable to log in to the user account "test" at this time. Logging in to the account failed because an error occured.
  And here is the log from the server
  CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile
  Does someone have a clue for me?
  Thanks!

  Can you wipe the sytems and migrate the data? With my experience in Mobile Users this will probably be quicker than trying to troubleshoot MObility problems.

• Users unable to create or delete folders in migrated public folders using Outlook

  We have an Exchange 2013 CU3 environment migrated from Exchange 2007.
  The public folder migration was completed over the weekend.
  The environment has several public folder mailboxes.
  Post migration users are unable to create/delete new sub folders,  or modify permissions using Outlook on any of the migrated public folders.  Users can however create new top level folders using outlook. They can also create and delete new posts
  in migrated public folders.
  Admins are able to create folders and set permissions on migrated folders using the EAC.
  Test User accounts used for testing are set to use the Primary Hierarchy mailbox as their default public folder mailbox.
  Test Users have been given Owner permissions from the root down on the folders we are testing with.
  We have tested with Outlook 2010 and 2013 getting the same "Cannot create the folder" error.

  Further testing
  We moved a top level folder from a secondary PF mailbox to the primary PF mailbox using the New-PublicFolderMoveRequest command in powershell.
  After the move completed we could create new folders under the moved top level folder.
  The top level folder that was moved had it's own sub-folders that we did not move to the primary mailbox. (We didn't move the whole branch.. Just the top level folder)
  We still cannot create or modify the existing sub-folders after moving the top level folder.
  We then moved the newly created sub-folder to a secondary PF mailbox.
  At that point we could no longer create sub-folders in the folder form outlook.
  From what I can tell you can only create new sub-folders in folders homed to the primary PF mailbox when using outlook.
  Is this a bug or as designed?
  According to this Tech ed presentation Clients connecting to a secondary PF mailbox should have folder changes proxy to the primary PF mailbox.. (See slide 10)
  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B329#fbid=
  Update : 2-5-2014
  Not much new to report other than it appears that users need to be homed to the primary PF mailbox to delete calendar meetings.
  Opened a ticket with Premier support.
  Update 2-11-2014
  Premier support continues to look into the issue. No ideas as to the cause yet.
  2-24-13
  Still no resolution from support or even a clue what is causing this.

• Fresh Install (10.9.1) Unable to create OD accounts after crash and reboot

  I have a real big issue and I was hoping if someone could help me out or point me in the right direction.
  I have installed a new Server (10.9.1) for a client and everything has been working fine for over a month now, DNS resolving, users being able to login etc, no issues at all.
  But today (last night) the server crashed and they rebooted it, and today when i try to add a user I get an error:
  existing connection is not authenticated: password change denied
  I OK it then Cancel the adding, but find the user being added (bizarre!)
  When I try to setup the user email on the server for testing, I get an error with password being wrong, and I can't change the user password, with reset password the drop down just stays there and I have to cancel it.
  As a note, all current users within the OD are working fine. And as a test I tried to change a password for a current user and getting the same issue above. They are not mobile accounts, the server is being used for Email, Cal, Card, VPN and AFP only.
  I have had this issue before when installing a fresh server and the way I fixed it was to delete the OD and start again, but this time I have many users with a lot of emails/data so I need to be able to fix it rather than starting again.
  I have checked the DNS, flushed it, rebooted to no avail. Also I have cheked and tried fixes that have been posed on this form but most are talking about migration erros, even so they don't seem to work.
  Has anyone else had this issue? and fixed?
  Mac mini 2012 16GB 10.9.1
  Server 3.0.1

  Process with success:
  unzip the packet in: C:\APEX
  1. Install:
  @apexins SYSAUX SYSAUX TEMP /i/
  2. Change to password:
  @apxchpwd,
  3. Run apex_epg_config.sql
  On windows:
  @apex_epg_config.sql (page 30, the guide of intallation)
  Important:Replace SYSTEM_DRIVE:\TEMP by C:
  E.g.: @apex_epg_config C:
  After this, follow the next steps
  4. ALTER USER ANONYMOUS ACCOUNT UNLOCK;
  Finish! Just execute apxldimg.sql script if you is upgrading from a preview release.
  Now try the connect on the browser IE6 o later:
  http://localhost:8080/apex/apex_admin
  Then create your workspace.
  Edited by: [email protected] on 10/03/2009 11:59

• User unable to create recurring events on public calendar.

  As the title says, I have a user that is unable to create recurring events on a public calendar.
  I have given full rights to the user even as owner and it still will not create recurring events.
  I'm convinced its a permissions issue, but have no idea where to look any more. I've temporarily added the user in domain admins just to test, and it works! Why would this fix it? Why is being set as owner of the calendar not enough?
  She just keeps getting "You do not have permission to modify some or all of these items in this folder."

  What rights does she have on the folder?  You might try revoking her rights, then adding them back.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
  Rights were set to Publishing Editor.
  I changed the permissions to none and even removed folder visible. Confirmed she had no access and added them back. Still fails.
  Then removed user account from permissions list, confirmed, added back, tested, failed.

• User Unable to Create Folders on Mapped Network Drive

  I have a user who is unable to create folders in a directory where she should have all the necessary permissions to do so.  She is a member of an AD group, and the effective permissions for that group include everything except:
  Full control
  Change permissions
  Take ownership
  The permissions are inherited from two levels up the tree.  So I went to the level from which the permissions are inherited and selected the "Replace all child object permissions with inheritable permissions from this object" option in order
  to force the permissions to be reapplied to the child objects.  That fixed the issue for about half a day.  The issue came back and as far as I can tell nothing was changed--she still appears to have sufficient permissions to create folders, and
  yet she cannot.  In fact, I established a remote connection to her machine and tried it myself (under her account) and was not able to create a folder at any level in the tree.
  I have confirmed that one other user who is in the same AD group can create folders at any level of the directory tree.  I have also confirmed that no explicit permissions are set on any of the folders in the tree.  So the two users have the same
  effective permissions, yet it works for one and not the other.
  Any help would be greatly appreciated!
  --Tom

  My apologies for letting this issue set for so long.  I got waylaid by a series of other more pressing issues and had to push this one to the back burner for a while, but I was able to come back to it and get it resolved today.  I wanted to report
  back for the benefit of others who may be reading this thread in the future.
  I think there were two separate issues:
  Conflicting permissions.  The user was a member of two groups--one that grants the permissions needed and one that grants more restricted access.  Her user account was also listed on the folder with more restrictive permissions than the groups. 
  She needs full access, so I removed her user ID and the more restrictive of the two groups.
  It appears that the changes were not getting written to the subfolders.  One of my co-workers suggested that I add her user ID with full control, make sure that change was made on all the subfolders, and then remove her user ID again and make
  sure the removal was made on all the subfolders, just to verify that the changes were getting written to the subfolders.  That worked.
  I'm not sure why the second step was necessary, since the first step should have been sufficient to force the permissions to be re-written on the subfolders, but I could not get it working without doing both of these steps.
  Thanks for the help on this issue, and again, my apologies for taking so long to get back to the group on this.
  --Tom

• Cannot create mobile account

  I have to admit that I'm new to OS X server and what should have been simple isn't proving to be that way. I have managed to get one of my client laptops authenticating but now when I go to create a mobile account it works for some users but not for mine - I suspect this is because of a clash of names on the host laptop. Is this correct and how can I fix it?

  Look in the system log for clues.
  Also you can turn on ManagedClient logging from Terminal this way:
  sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
  Then reproduce the problem. The log will be here:
  /Library/Logs/ManagedClient/ManagedClient.log
  Remove /Library/Preferences/com.apple.MCXDebug.plist to stop logging (and increase performance).
  And please file a bug with Apple.

• I am unable to create an account on the HP eprint center login page

  Has anyone else had problems creating an account on the eprint center login page

  Try following the instructions in the iPod Users Guide:
  iPod touch User Guide (For iOS 4.3 Software)