big sur - active directory logon without office network

Wow, literally just resolved this on a whim. I have posted in this thread (https://discussions.apple.com/thread/252264961?answerId=252264961021&page=2) too, but here is a recap:

Based on this article (https://support.apple.com/en-ca/guide/directory-utility/ior6d33c187e/mac), the password needs to be updated in 3 different places. Re-joining the laptop to domain and purging the keychain did not help, but this did it.

- connect to the domain (ethernet cable preferred)

- go to System Preferences > Users & Groups > click on "Change Password" for the domain account (the affected user profile) > change your password

- verify the password is updated somehow -- "net user THEUSERNAME /domain" in Command Prompt -- or just wait a couple of minutes for the change to sync to AD

- disconnect from the domain (go offline with no WiFi connection)

- try logging back in with the newly changed password

The password needs to be updated in 3 different places, so deleting the user profile, resetting the keychain, or re-joining to domain, or whatever else you do will not be sufficient. On the Mac OS backend, it needs to find and update all 3 of those different stores simultaneously -- and it's only through this method that that works.

Give this a shot! It has worked for our user. I'm just wondering if the user profile will break again... and I won't be surprised if it does. One step at a time though!

Hello,

I've tried to reset the account, remove it from AD, but nothing worked.

One thing made the trick though, you will need an Admin account on the same computer.

1. Log in with the Admin session (make sure you that you have administrator rights enabled)
2. Connect to your organisation VPN
3. Use the fast user switching from the menu bar
4. Log in to your session: it worked 100% every time for my case

I wish this worked for me, as that workaround would at least allow me access again, but when I try the fast switch it prompts me for the password and says account is locked again. Is there anything you are doing that allows fast switch without a password or I wonder if I have a different problem?

One thing I'll add which isn't mentioned in this thread is that you can do the following which doesn't solve the problem but might be a useful step forward.

1. Using a local admin account on the machine enable screen sharing
2. Connect to the VPN
3. On another machine on the same network, initiate a screen sharing session
4. During the connection, you get a choice to login as a different user - use the AD user for this (seems to work because VPN is connected I guess)
5. Once you are remote logged in as the locked user you can connect to the VPN again.

Hope that helps! I'm really stuck with this, spent all weekend now travelling into the office tomorrow in the hope someone can fix it.

1. Yes, Admin account and VPN connecton is required if you are working from home. Even user password is required to create new account.
2. Rename user profile from /Users/username to /Users/usernameX
3. delete user account from SystemPref > Users& Groups
4. Run below commands using terminal
5. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
6. dscacheutil -q user -a name username
7. sudo dsconfigad -passinterval 0
8. Login
9. Enter user
10. Password
11. this will create new user account
12. after this we need to restore user profile
13. /Users/username to /Users/username_Del
14. & then /Users/usernameX to /Users/username

Login with admin account, connect VPN 

Rename user profile to aduser1X

Delete user from Preferences

• sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n aduser1

Enter superadmin password

enter username as superadmin

Enter superadmin password

• dscacheutil -q user -a name pragyatripathi
• Login

Enter aduser1

Enter Password

provide admin access temp and run below command

• sudo dsconfigad -passinterval 0

Remove admin access

rename aduser1 to aduser1Y

rename aduser1X to aduser1

And restart computer to login

here, superadmin = admin account , aduser1 = user account

I'm having this same problem right now as well.

I have an admin account on my box, and i'm able to login on that admin account. From there i can connect to my corporate VPN and then I can switch users and i'm able to sign into my account. Once i'm in my account i have to connect to my corporate VPN again and then I'm able to work.

Such a janky work around...

@Apple, please get this bug resolved.

i've had this happen (or one very similar) with 2 users who jumped the gun and went to Big Sur, and were soon locked out of their macs.

in each case, they had to ship their laptop to the office. i back up, erase, install 10.15, restore user.

big problem for us.

i'm trying to test the exact trigger for this. it was some kind of password update that the user did (reportedly the ad password update while on vpn). let me know if you have any details on this.

current theory for fix is to use Nomad to re-establish the ad password to the mac, but haven't been able to test out yet.

yes, scottjking, i did a full backup with Carbon Copy cloner, made sure it was bootable. then erased the mac. installed 10.15 from an external utility drive.

now to copy data back is a pain since 10.15 did not read the bigsur drive formats. so used another 10.16 partition to boot from and then just cloned over user's folder into the 10.15 internal drive.

time machine might work, but sometimes it will reject that the destination is older than the backup.

next time , i plan to just back up the bigsur drive to a disk image with CCC and then erase and restore from that. might save a step

My boss is not going to use that "workaround", if that's the only way, she will go back to use the Windows Dell laptop instead. The solution should be (as Windows does) to store the password hash locally and validate against this stored password when not connected to the domain.

I got so sick of dealing with this, I started to try lots of different ways to figure it out.

What worked was this:

I upgraded to 11.2 and then took a time machine backup.

I then wiped my machine and re installed the OS. I upgraded it to 11.2 and then used migration assistant to bring my data back to the machine. After having to sign into a million pop ups and allow permissions for everything again, i was able to get my machine working as expected.

Finally my mobile account works again.

Have you confirmed this issue did not come back the next time you changed your password? Password changes (made from the system preferences > users & groups panel while bound to AD are what seems to be triggering this for our remote users on Big Sur.

You may have gone through all of that to only have it come back next password change - hopefully not.

ScottDye, i'm still unable to make this fail when testing.

have you found that this happens every time for your users' updating the pw?

are they connected directly to network when updating, or through vpn?

Not sure. We initially saw this on machines that were being set up as replacements, and were upgraded to Big Sur in the process, and the users had changed their AD passwords on their existing machines - so those passwords were changed outside the laptops themselves.

Today, we got a report of an associate who had previously had his laptop in use, and Big Sur was updated while remote. He updated his password via the system preferences, but it still triggered a lockout upon reboot. He would have been on VPN access while working remotely when he changed the password. Anecdotally, another user had done the same, with no issues.

I have also figured out the local admin account + fast user switching trick mentioned above, but that is not feasible for these users, as they are not granted admin access.

We have the same situation, AD password change via users & groups panel whilst connected to network is triggering this for users on BigSur.

The same procedure always worked well for previous MacOS