Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: big sur - active directory logon without office network

Hello,

one of my user recently updated to big sur his macbook pro.

From that moment he can't login outside office network; osx join an AD domain (win 2019 server) and we use AD account (mobile account is created on /User during the first login).

I also tryied to turn off the network, reboot (inside the office) and he was right, without our network, he has the error "account is locked".


We don't use JAMF.


We use the same setup from about 2005, never had this kind of issues (we also avoid upgrading osx before 9/10 months of testing)


Thanks

Posted on Nov 30, 2020 9:06 AM

Reply
Question marked as Helpful

Dec 29, 2020 8:57 AM in response to mz_teddy In response to mz_teddy

I'm having this same problem right now as well.


I have an admin account on my box, and i'm able to login on that admin account. From there i can connect to my corporate VPN and then I can switch users and i'm able to sign into my account. Once i'm in my account i have to connect to my corporate VPN again and then I'm able to work.


Such a janky work around...


@Apple, please get this bug resolved.

Dec 29, 2020 8:57 AM

There’s more to the conversation

Read all replies

Dec 2, 2020 6:30 AM in response to mz_teddy In response to mz_teddy

Test i've made so far:

  • remove/rejoin from AD
  • recreate user account on macbook (renamed user dir -> user login -> create user folder)


The issue occur also on screen lock (if the user try to unlock outside office network).

Actually, if the user need the macbook outside, i've disabled system lock and he should never restart or power off the computer when out of office.



Dec 2, 2020 6:30 AM

Reply Helpful
Question marked as Helpful

Dec 29, 2020 8:57 AM in response to mz_teddy In response to mz_teddy

I'm having this same problem right now as well.


I have an admin account on my box, and i'm able to login on that admin account. From there i can connect to my corporate VPN and then I can switch users and i'm able to sign into my account. Once i'm in my account i have to connect to my corporate VPN again and then I'm able to work.


Such a janky work around...


@Apple, please get this bug resolved.

Dec 29, 2020 8:57 AM

Reply Helpful (1)

Jan 14, 2021 4:19 PM in response to mz_teddy In response to mz_teddy

i've had this happen (or one very similar) with 2 users who jumped the gun and went to Big Sur, and were soon locked out of their macs.

in each case, they had to ship their laptop to the office. i back up, erase, install 10.15, restore user.

big problem for us.


i'm trying to test the exact trigger for this. it was some kind of password update that the user did (reportedly the ad password update while on vpn). let me know if you have any details on this.


current theory for fix is to use Nomad to re-establish the ad password to the mac, but haven't been able to test out yet.


Jan 14, 2021 4:19 PM

Reply Helpful

Jan 15, 2021 8:33 AM in response to scottjking In response to scottjking

yes, scottjking, i did a full backup with Carbon Copy cloner, made sure it was bootable. then erased the mac. installed 10.15 from an external utility drive.

now to copy data back is a pain since 10.15 did not read the bigsur drive formats. so used another 10.16 partition to boot from and then just cloned over user's folder into the 10.15 internal drive.

time machine might work, but sometimes it will reject that the destination is older than the backup.

next time , i plan to just back up the bigsur drive to a disk image with CCC and then erase and restore from that. might save a step

Jan 15, 2021 8:33 AM

Reply Helpful

Jan 25, 2021 1:15 AM in response to mz_teddy In response to mz_teddy

Hello,


I've tried to reset the account, remove it from AD, but nothing worked.


One thing made the trick though, you will need an Admin account on the same computer.

  1. Log in with the Admin session (make sure you that you have administrator rights enabled)
  2. Connect to your organisation VPN
  3. Use the fast user switching from the menu bar
  4. Log in to your session: it worked 100% every time for my case

Jan 25, 2021 1:15 AM

Reply Helpful (1)

Jan 29, 2021 6:27 AM in response to 8leonn In response to 8leonn

My boss is not going to use that "workaround", if that's the only way, she will go back to use the Windows Dell laptop instead. The solution should be (as Windows does) to store the password hash locally and validate against this stored password when not connected to the domain.

Jan 29, 2021 6:27 AM

Reply Helpful

Feb 4, 2021 9:16 AM in response to mz_teddy In response to mz_teddy

I got so sick of dealing with this, I started to try lots of different ways to figure it out.


What worked was this:


I upgraded to 11.2 and then took a time machine backup.


I then wiped my machine and re installed the OS. I upgraded it to 11.2 and then used migration assistant to bring my data back to the machine. After having to sign into a million pop ups and allow permissions for everything again, i was able to get my machine working as expected.


Finally my mobile account works again.

Feb 4, 2021 9:16 AM

Reply Helpful (1)

Feb 10, 2021 11:42 AM in response to scottjking In response to scottjking

Have you confirmed this issue did not come back the next time you changed your password? Password changes (made from the system preferences > users & groups panel while bound to AD are what seems to be triggering this for our remote users on Big Sur.


You may have gone through all of that to only have it come back next password change - hopefully not.

Feb 10, 2021 11:42 AM

Reply Helpful

Feb 10, 2021 12:44 PM in response to venicejeff In response to venicejeff

Not sure. We initially saw this on machines that were being set up as replacements, and were upgraded to Big Sur in the process, and the users had changed their AD passwords on their existing machines - so those passwords were changed outside the laptops themselves.


Today, we got a report of an associate who had previously had his laptop in use, and Big Sur was updated while remote. He updated his password via the system preferences, but it still triggered a lockout upon reboot. He would have been on VPN access while working remotely when he changed the password. Anecdotally, another user had done the same, with no issues.


I have also figured out the local admin account + fast user switching trick mentioned above, but that is not feasible for these users, as they are not granted admin access.



Feb 10, 2021 12:44 PM

Reply Helpful

Feb 18, 2021 2:55 AM in response to mz_teddy In response to mz_teddy

We have the same issue. Mobile account created during the first boot.

Initially we tested Big Sur on several MacBooks and we didn't had any problems.

One week after we installed Big Sur on all MacBooks some users couldn't login and got "account is locked" error.

Since the user can not connect to VPN before login to account we can't do anything about it.

Feb 18, 2021 2:55 AM

Reply Helpful (1)
User profile for user: mz_teddy

Question: big sur - active directory logon without office network