User suddenly can't log into Mac bound to ActiveDirectory

Question

Apr2009 Author

Level 1

8 points

User suddenly can't log into Mac bound to ActiveDirectory

I have 3 of our Mac users who I've bound their Macs to our Active Directory domain. On one of the users occasionally can't log into her Mac with her Domain account (the login screen "shakes" at her)

This has happened maybe twice last year. The past two times, the issue has magically resolved itself after about 30 minutes of doing nothing (she worked on her PC and I searched the forums for any known causes)

This is the 3rd time it's happened, no changes where made to the Mac or the network, everything was fine yesterday. Today, when she went to login, suddenly she couldn't. (She is able to log into her PC)

She did change her password about 2 weeks ago, and has been using that new password successfully on both her Mac and PC.

The only thing that happened this morning was her account was locked out, it was unlocked hours ago and she can log into her PC.

Could it be the Mac still thinks her account is locked out? I can't remember if her account was locked out the last 2 times this happened, I don't think it was. This issue seems very sporadic and random.

Also, my Mac, which is bound to AD, authenticates me just fine

Mac OS X (10.4.10)

Posted on Jan 8, 2008 7:40 AM

Reply

Answer 1

Apr2009 Author

Level 1

8 points

Jan 8, 2008 8:21 AM in response to Apr2009

I checked my notes on this and the last time this happened to this user was in August and her account wasn't locked out at the time. So I don't think her account being locked out caused the problem.

I was able to fix it this time by unbinding the Mac, deleting the computer account from AD, and binding the Mac back.

I did a little searching on Google and found an old post where someone had the exact same issue. Some of his users would occasionally not be able to log into their AD-bound Macs. Sometimes logging in with a local account, then back out would fix the issue, sometimes the issue would resolve itself after some time and some times they had to re-bind the Mac to the domain.

I would like to bind all our Macs to AD so our users can use their domain accounts instead of having local accounts, but this issue is what is keeping me from doing it.

Any ideas would be greatly appreciated.

Reply

Answer 2

Josh@uwgb

Level 2

445 points

Jan 8, 2008 11:59 AM in response to Apr2009

Are your Macs pointing to your domain controller for time synchronization? If the Mac's clock gets more than a few minutes off of ADs clock you won't able to log in. Generally all domain controllers run network time services so you should be able to point directly to your domain and get the proper time.

I would also point out, we got sick of the problems with Apple's AD plugin so we went out and purchased ADmitMac by Thursby Software. It seems to be more reliable and since its their main product they can usually identify and fix problems in a day or so.

Reply

Answer 3

Apr2009 Author

Level 1

8 points

Jan 8, 2008 12:37 PM in response to Josh@uwgb

Thanks for the suggestion Josh!

Actually, the Mac is pointing to time.apple.com. How would I set it up to point to our network time server? The only options I have under the Date and Time settings are several time.apple.com sites. I don't see a place to manually enter a server or IP.

Reply

Answer 4

Josh@uwgb

Level 2

445 points

Jan 8, 2008 12:52 PM in response to Apr2009

If you click in where it says time.apple.com under Date & Time, you can delete that entry and enter in your own server address.

Reply

Answer 5

Apr2009 Author

Level 1

8 points

Jan 8, 2008 12:58 PM in response to Josh@uwgb

Nice, Thank you!

I'll make this change on my user's Mac and if she doesn't have this problem again in several months, I'll know it worked. 🙂

Reply