Workgroup Manager missing users running on 10.6.7 client

Similar Messages

• Workgroup Manager: Adv, User Password Type grayed out (was Shadow Password)

  I've set Workgroup Manager, Advanced, User Password Type: Shadow Password, Options to inactive after 90 days, fail after 5 attempts, allow user to change password, at least 8 characters every 90 days. Today after user logged in to the console, the user locked herself out remotely via sftp, ssh, & xterm from a WinXP PC running ReflectionX.
  I went to the console, used Fast User Switching to bring up my admin account (her account was still logged in), we reset the password with Workgroup Manager so the red X is no longer on her username.
  However, the Advanced User Password Type: drop down list is blank and grayed out and she can't log in? How do I reset this? The user has a lot of files, I'm afraid to delete and recreate the user account. That seems pretty drastic for an invalid password attempt. I've rebooted and ran Apple Updates for good measure. Any ideas how to put Shadow Password back in that box?

  To unlock the user's account, after backing everything up and noting the user's uid, home dir, groups, etc, we deleted the user in WorkGroup Manager and readded her putting the user id, home dir, etc back the way it was. Everything seems to work again. The home directory files were not deleted when the user account was deleted so everything just reattached.
  Still have no idea how we managed to get things so confused in the first place? The Server UI is so much more complicated and inconsistent from the client OS for dealing with users. The Mac OS X Server for Dummies book I found did not have a troubleshooting section and was no help in resolving this. We ended up contacting the Mac User's Group.
  I was blown away to get an email survey from Apple support asking me to rate my opinion of my help request. I didn't get any help! They told me my 3 years of AppleCare don't apply to the Server OS I installed separately after buying the mac. Mac OS X Server has 90 days of support that I never used but had expired. They offered to sell me a help ticket for $99.
  This has not lived up to the user experience I was hoping to have. I regret the day we "upgraded" to the server. Is there a way to downgrade? Now that there is only 1 unlimited version, we're totally stuck. We have no mac client connected, just PCs via sftp, ssh, vnc, & X windows...

• Where is the "Limited" Option on Workgroup Manager for User Administration Capabilities

  Hi, on Lion Server wen we create an OD User, in Privileges window, we had the Administration capabilities: "Limited" Option, but on Mountain Lion there´s only Full and None Options.
  There´s another way tio limit the acces to users?
  OPTIONS ON LION SERVER:
  OPTIONS ON MOUNTAIN LION SERVER:

  I think you have just gotten the updated layout that Google started rolling out last month: http://insidesearch.blogspot.com.au/2012/11/spiffing-up-your-search-results-page.html
  People have been publishing methods for reverting the layout, which mostly involve replacing some of Google style rules with new (old) ones. For example (I haven't tried it myself):
  Greasemonkey userscript: http://userscripts.org/scripts/show/152796

• AD Users not showing up in Workgroup Manager

  Hi, I'm configuring a new installation of 10.4 server on an Intel Xserve to integrate with an already existing AD domain and provide group policies to Mac users via OD.
  So far, the install has been so smooth, fast, and simple. The Xserve has been joined to the AD domain, Kerberos is running, and I have an active OpenDirectory Master.
  Now, when I go to Workgroup Manager, the users in the AD domain do not show up and if I try to authenticate with the same username and password I used to bind to the domain I get the error "The login information is not valid for this server". Also, if I use dscl I can navigate to "/Active Directory/All Domains/Users" but if I try to run ls I get "ls: DS error: eDSCannotAccessSession".

  Hi Tim
  You are almost there but not quite.
  Firstly its not important if the AD Server does not have a reverse pointer. As long as the OD Master does that should be enough. Ultimately it would be better if there was one configured but there is not much you can do about that is there? I doubt very much if the AD Admin is going to want to fiddle with a 'live' DC's DNS Service if its likely to affect his domain?
  What I generally do is this:
  Make sure SMB Digital Signing is Not Enabled on the AD Server. There should be at least two places where this has to be disabled. If the 'powers that be' have defined SMB Digital Signing then SFM (Services For Macintosh) must be installed. If its 'nada' to both then you will be severely limited in integrating OSX Server and mac clients with AD. Yes of course make sure there is an (A) and Reverse PTR for the mac server. Next bind all mac clients to the AD Server and make sure the AD Server is listed first for Authentication and Contacts, also make sure mac clients are using the AD for authentication. Test and verify a mac client to see if (a) home folders are created and accessed and that mac clients successfully log in. You sometimes don't get the two.
  Now turn your attention to OSX Server. Make sure you have (a) reserved a fixed IP address for it in the AD's DHCP Service and you have placed the AD's IP address as the primary IP address in the DNS Server's field in the Network Preferences Pane (b) tested DNS fully and that OS X Server resolves correctly on the forward and reverse pointers for itself. Now bind OSX Server to the AD using the Active Directory plug in in Directory Access and an AD admin account that has authority for the Domain. Launch Workgroup Manager and you should see AD Users and Groups have 'flowed' into the /Active Directory/All Domains node. Quit out of WGM and launch Server Admin. Enable the AFP Service and set the authentication method to Any Method. Select Open Directory and change the Role from Standalone to Open Directory Master. You will be prompted to create the default Directory Administrator account diradmin (UID 1000). You should see the Kerberos Realm and search base fields autofill with the fqdn of the Server. Change both of these to reflect the fqdn of the AD Server. For example if the fqdn of your mac server is osxserver.addomain.com and the windows server is adserver.addomain.com then change the information presented in thos fields to ADSERVER.ADDOMAIN.COM and dc=adserver,dc=addomain,dc=com. As you can see you should only need to change the first part. Click OK or Continue and you should now have an OD Master that is not the KDC (Kerberos has been stopped). This is the state you want it be in before going any further. You can now 'kerberize' the AFP Service you started previously by selecting the kerberize button and using the same AD admin account you used to previously bind the server to the AD. To doublecheck if the AFP Service has been kerberized launch terminal and issue:
  sudo kadmin.local -q list_principals
  You should see an entry for [email protected] amongst others.
  Now launch Directory Access and make sure the server's loopback address is listed in the LDAPv3 plug in. Make sure that the server is listed first in the Authentication and Contacts fields. Quit out of Server Admin and launch WGM. Navigate to the /LDAPv3/127.0.0.1 node and you should see diradmin waiting for you. Open another connection window in WGM and navigate to the /Active Directory/All Domains node. When you authenticate the /LDAPv3 node you use diradmin, when you authenticate the /Active Directory node you use the AD admin account. Create a Group in the /LDAPv3 node select the + icon and toggle between the two nodes as you select users or groups and add them to your /LDAPv3 node. Once you are happy select a preference to manage, apply desired changes and save the changes. This is better done on a client machine with the Server applications installed.
  Back to your mac clients. Begin to join these to the LDAP node using the LDAPv3 plug in in Directory Access. Use the Server's IP Address or its FQDN if the DHCP Server is also doling out DNS information to networked clients. Its IP address should be good enough. Don't bother with authenticated binding and make sure clients are not using the OD master for authentication and contacts. Lastly make sure the Active Directory/All Domains and the /LDAPv3/OD Master IP address or fqdn are in that order for browsed directories.
  Its best if you have a secure local admin account on all your mac clients and that each mac is named differently. Set this in the Sharing Preferences Pane.
  Begin to test. If everything is OK you should now have mac clients logging into home directories controlled by AD as well as OD Managed Preferences being applied.
  One final thing. Avoid using .local as the basis for the DNS Service. I realise in your environment you have no control over that. In which case make sure all mac clients have the AD's .local domain name in the Search Domains field in the Network Preferences Pane. If your clients have Leopard installed you should not have to bother as Leopard copes with .local name resolution better than previous versions of the OS.
  As ever how successful you are and how long it takes will depend mostly on how well the AD is configured. There is no magic bullet that can be used on the mac side to fix a poorly configured AD environment. If everything is as it should be regarding the AD Server it should not take you longer than 10-20 minutes (after server installation) for the server and possibly 2-3 minutes for each client. It really should not take that long.
  Does this help?
  Tony

• Can't log in as a user created in Workgroup Manager

  I am a little confused about users created in Workgroup Manager.
  I have created an account with all the proper permissions to log in etc. Their home directory is listed as afp://home/Users (home is the name of the server). The directory for the user I am trying to log in as doesn't exist yet.
  When I try to log into the server "home" with this newly created user, I get the vibrating window that indicates the log in failed.
  I am used to windows and AD where I would create a user in AD and then use something like \\domain\user to log in to the machine as that user. If i wanted to create a local user on that machine, I could do that too and then log in as \\machine\user to get the local user.
  Are Workgroup Manager created users like AD users? Can I use them to log into any machine on the network hooked up to the SL server machine? In this case I want to log into the SL Server machine with this user.
  Thanks for any insight
  Greg

  There is only one root user, so saying "a root user" doesn't make sense. What you mean is an admin user, and it looks like your account has somehow manage to lose its admin privileges.
  Follow the instructions in I lost my admin user and you should get them back.
  Note that in this User Tip, 'youruser' is a placeholder. You are supposed to substitute the short name of your account wherever it appears.

• Manage users and groups on 10.5 client like 10.5 server?

  can anyone recommend software for managing local users and groups on 10.5 client? we only need filesharing and don't need the added expense of OS X Server.
  thanks

  oh, right. we can add users with the File Sharing pref pane and can add groups under the Accounts pref pane.
  i'm assisting a friend reconfigure a 'server' (os x client box) that was damaged.
  i'd like to create a new group and then add a handful of users to that group for filesharing. these users don't really need to access the mac for local login.
  they are using Windows Vista from the clients and the way it's set up now, if a user connects and modifies/creates a file, no one else can then modify the file. we have to run chmod on the file/directory for everyone to be able to change it. i'd like to configure it so the permissions work correctly without having to do this.

• Group membership for users is not reflected at the client until full reboot

  Ok, so I am new to this:
  So I created two groups on the server g1 and g2. Created two server users u1 and u1. I have one client with three accounts: System Admin, u1 and u1.
  On the server:
  g1 has one member u1
  g2 has one member u2
  When I swap the membership on the server using Server pref. or Workgroup manager, the users on the client still have access to their original group.
  I tried logging everyone out of the client. I does not work.
  The only way is to reboot the client completely. However, sometimes when I change the membership it does get reflected on the client. Any ideas?
  Equipment:
  One (1) Mac Mini Server 10.6.3, clean install. (defaults to OD)
  One (1) MacBook Pro 17" , 10.6.4
  Is there a way to push?

  Answer!
  UAC (User Account Control) must be set to OFF to disable this message.
  Another error message that really has nothing to do with what's really happening!
  Ugh.

• Server admin not seeing directory users from workgroup manager

  I am setting up a new Xserve with Snow Leopard (get 'em while we can). We have eight other XServes running Leopard or Snow Leopard server. On those machines we have set up file sharing over AFP. The machines are connected to our Active Directory server and our users authenticate using their domain passwords. All of our other servers were setup in Leopard and were upgraded to Snow Leopard. We have not had any issues authenticating to those boxes.
  This is the first one that we have actually setup new-out-of-the-box in Snow Leopard. I can set Workgroup Manager up to connect to our AD, and can see and search my domain users and groups in Workgroup Manager. When I try to set up my File Shares in Server Admin, none of my domain users show up-only local accounts.
  What have I missed? In Leopard, when I connected to the domain, the users immediately became available in Server Admin. Not so in SL, at least on this box.
  Help?

  Hi
  The first thing to check is if you've bound the Server to the AD Domain. The second thing is if the /Active Directory/All Domains is in the Search Policy. If you don't do either of these WorkGroup Manager won't display anything coming from the AD Schema.
  In 10.6 Apple moved the Directory Utility from where it used to be in /Applications/Utilities and made it part of the Accounts Preferences Pane. Perhaps it's this change that's confusing you? I would not advise doing this but it's also possible you used the Server Setup Assistant to do most of the configuration? If you did maybe something went wrong at that stage (won't be the first time) and you need to manually bind the Server instead?
  As ever make sure this server is using the same NTP Server as the others.
  Tony

• Error -14135 Creating New User In Workgroup Manager

  Hello,
  I'm running 10.5.8 on a Mac Server, and until today have had no issues adding new users with a preset I've created in Workgroup Manager. Today, I've received the message:
  Got unexpected error
  Error of type eDSRecordAlreadyExists (-14135) on line 1268 of SourceCache/WorkgroupManager/WorkgroupManager-361.2.1/PMMUGMainView.mm
  This error appears before I'm even able to enter any information.
  I would appreciate any suggestions! Right now I'm running Disk Utility and repairing permissions. I haven't found any other ideas online.
  Thank you!

  Following is the text from Note for Custom Password Validation logic:
  Customers who wish to use their own password validation logic may do
    so by writing their own Java classes that implement the
    oracle.apps.fnd.security.PasswordValidation Java interface.  The
    interface requires 3 methods to be implemented:
    1) public boolean validate(String user, String password)
      - This method takes a username and password, and then returns true
    or false, indicating whether the user's password is valid or invalid,
    respectively.
    2) public String getErrorStackMessageName()
      - This method returns the name of the message to display when the
    user's password is deemed invalid (i.e., the validate() method returns
    false).
    3) public String getErrorStackApplicationName()
      - This method returns the application shortname for the
    aforementioned error message.
    After writing the Java class to perform customized password
    validation, the customer must then set the value of the profile option
    SIGNON_PASSWORD_CUSTOM to be the full name of the class.  If, for
    example, the name of the Java class is
    oracle.apps.fnd.security.AppsPasswordValidation, then the value of the
    SIGNON_PASSWORD_CUSTOM profile option must be
    oracle.apps.fnd.security.AppsPasswordValidation.  Note that AOL/J
    will attempt to load this class dynamically.  Hence it is necessary to
    make the class accessible by AOL/J.  This means that in Forms, the
    class must first be loaded into the database using the loadjava
    command.
  You will need to apply the following patches for 11.5.1:
     1344802
     1363919
     1472974
     1351004
     1377615
  You will need to apply the following patches for 11.5.2:
     1377615

• HT1338 XSERVE 10.6.8 is running very slow, and Workgroup Manager is not responding

  XSERVE 10.6.8 is running very slow, and Workgroup Manager is not responding. There is no more updates to download.

  munish khanna wrote:
  1. upgrade to lion, which should over write previous software and the reasons for it being slow.
  No, you don't want to upgrade over a buggy system, Lion has issues of it's own that will only complicate matters, plus Lion is slower than Snow Leopard.
  Learn all the pitfalls before you upgrade to Lion, like all your Rosetta/older programs will no longer work and more.
  Leave Lion for a new hardware purchase is my advice, it's still got plenty of security and other issues.
  For your performance, your likely better off replacing the hard drive with a 7,200 RPM model and maxing the RAM, download the free MacTracker to find out your specs, and OtherWorld Computing is good for videos, tools and parts.
  http://eshop.macsales.com/installvideos/
  2. Format the hard disc and reinstall snow leopard.
  That will work, provided your data is off the machine first.
  Now how do i reinstall snow leopard as it was an online purchased upgrade from leopard.
  The 10.6 Snow Leopard disk that you upgraded 10.5 Leopard from actually has the full OS X 10.6 on it.
  All you have to do is stick the disk in and hold the c key down while booting, use Disk Utility to erase the entire drive, quit and install 10.6.
  Of course your not going to get the free iLife that came with the 10.5 grey disks, see if you can first install 10.5 with the same methods, then setup with the same user name as before, then upgrade to 10.6
  I think Apple nulled booting off the 10.5 disks, but it won't hurt to try.
  Another method would be to install 10.6 fresh by itself, then use the program called Pacifist to extract iLife from the 10.5 disks.
  http://www.charlessoft.com/
  Read here for plenty of how to's
  https://discussions.apple.com/message/16276201#16276201

• Nested AD User Groups in Workgroup Manager not working in Mavericks

  The setup is the traditional Golden Triangle, so Active Directory for users and groups, Open Directory for Managed Preferences. Both Apple clients and server are running 10.9.0
  While I can successfully manage the Mac's via OD computer groups, the OD user groups with nested AD groups no longer appear to work. If I nest an AD user it works fine, but not the AD users group.
  This is a new AD and new OD, no migrations. This is a setup I've done countless times over the years, but since Mavericks has been introduced, I can no longer make this work.
  Any help would be greatly appreaciated.
  Thanks,
  Alex Price

  Hello
  I have been having the same problem, when adding an AD Group to an OD group the users in the AD group are not managed, but if i add the user to the OD group it works fine, (with about 5000 active users this is not an option) this has been a problem with 10.9 and has not been fixed with 10.9.1, i assume we need a update to Workgroup manager?
  Maverick server is useless at the moment, cant upgrade the clients to Maverick if i cant manage them, are Apple just tring to make my job more difficult than it needs to be, i was happy that they provided Workgroup Manager for Mavericks because Profile Manager is simple not an option, but it would be good if it worked properly, its not a small problem so you would think apple would make it a priority.

• Workgroup Manager Find/Search only working for User ID

  Hello,
  I recently updated my OD Master from 10.6 to 10.7, running on an Xserve 3,1.
  The upgrade went fine and I have all my users and groups intact.
  However, in Workgroup Manager, when I search by "Name Contains" it will not do a search on the "Name" field.
  It appears that no matter what search method I choose, I can only search on the "Short Names" field.
  I still have another 10.6.8 Server with WGM on it and it does not have this issue, so it appears to be a specific issue with WGM for 10.7 (I have seen the same thing using WGM for 10.8)
  Any ideas?

  I noticed somewhat similar behavior a while ago - but my WGM window shows User Name (which is Name, not short name) and that can be searched by the last name, but not the first name.  As in a search using smith will find John Smith, but a search using john will not.  If the short name is jsmith, a search using jsmi will also work.
  However, using the Search button in the top tool bar will work with real names.  This picture doesn't actually prove that, but i did search on a first name and it did find it.  IE, a search of John in real names found John Smith.
  I think this is just how it is now.

• Workgroup manager crash on creating a new user?

  Everytime I add a new user to workgroup manager, it crash.
  When I launch it again it has created a new user called untitled,
  I can edit that user but not change its shortname,
  so that user will forever be called untitled.
  I run 10.4.7 with 10.4.7 admin tools, even tho workgroup manager still say 10.4.4
  Is there some way I can manually add a user to give it the proper shortname and then edit it with workgroup manager?
  I've had this problem for a long time, and system upgrading and permission fixes doesnt solve the problem!

  I am having the same issues. I will let you know what I find out.

• Recreate user account in Workgroup Manager, empty mailbox

  We have OS X 10.3.8 Server version. Postfix mail server.
  We have a user/account with email problems and a huge mailbox. He (user: gordon) had over 16000 emails in his mailbox (/var/spool/imap/user/gordon). All other mail users on this server work fine, including newly created user accounts.
  Our solutions was to try and delete all mail from his mailbox via Terminal. This did not seem to decrease the size of his mailbox. Our next idea was to delete this user in Workgroup Manager and then re-created this user. Hoping to created an new mail setup and empty mailbox. This idea failed aswell.
  How does one basically purge an old account/user in Workgroup Manager, and then, recreate that same user name and effectively recreate the user with a new account, including a new/empty mailbox?
    Mac OS X (10.3.8)  

  cyradm is not part of 10.3.x
  To use it you would have to install it first. See here:
  http://www.afp548.com/article.php?story=20040814204411280&query=cyradm
  And then follow the instructions given beforehand.
  Having said that, your issue can be resolved differently. You deleted all mail manually in the file system (not a good idea, but what is done is done). So the mail is actually gone. What you are seing is Cyrus' index. Since you deleted manually the index didn't get updated. To get rid of the problem either reconstruct that users mailbox throgh Server Admin - > Mail or alternatively run:
  sudo -u cyrus reconstruct -r user/gordon (assuming that's the user's name)
  Alex

• Problem with home directories NOT in Users and Workgroup manager

  I am setting up a Leopard server (10.5.3) with the users directories in /h1. This is mounted as /Volumes/h1.
  It is exported under AFP as /h1.
  When I try to get Workgroup manager to create a home directory, I can enter the home directory as:
  afp://quattro.innocon.com/h1
  path is 'user'
  Full path is:
  /Network/Servers/quattro.innocon.com/Volumes/h1
  However, when I try to log in as this this user, it says that the directory /Network/Servers/quattro.innocon.com/h1/username does not exist.
  I cannot seem to figure out why the 'Volumes' part of the full path is being lost.
  Any ideas on how to get this right?

  have you checked to see if /Network/Servers/quattro.innocon.com exists?
  I'm having ALOT of issues with automount not picking up on the mount-maps set by Open Directory.. If anyone has any solutions on this it would be great.