Level 1

8 points

big sur - active directory logon without office network

Hello,

one of my user recently updated to big sur his macbook pro.

From that moment he can't login outside office network; osx join an AD domain (win 2019 server) and we use AD account (mobile account is created on /User during the first login).

I also tryied to turn off the network, reboot (inside the office) and he was right, without our network, he has the error "account is locked".

We don't use JAMF.

We use the same setup from about 2005, never had this kind of issues (we also avoid upgrading osx before 9/10 months of testing)

Thanks

Posted on Nov 30, 2020 9:06 AM

Top-ranking reply

chopni

Level 1

4 points

Posted on Jun 11, 2021 4:17 PM

Wow, literally just resolved this on a whim. I have posted in this thread (https://discussions.apple.com/thread/252264961?answerId=252264961021&page=2) too, but here is a recap:

Based on this article (https://support.apple.com/en-ca/guide/directory-utility/ior6d33c187e/mac), the password needs to be updated in 3 different places. Re-joining the laptop to domain and purging the keychain did not help, but this did it.

- connect to the domain (ethernet cable preferred)

- go to System Preferences > Users & Groups > click on "Change Password" for the domain account (the affected user profile) > change your password

- verify the password is updated somehow -- "net user THEUSERNAME /domain" in Command Prompt -- or just wait a couple of minutes for the change to sync to AD

- disconnect from the domain (go offline with no WiFi connection)

- try logging back in with the newly changed password

The password needs to be updated in 3 different places, so deleting the user profile, resetting the keychain, or re-joining to domain, or whatever else you do will not be sufficient. On the Mac OS backend, it needs to find and update all 3 of those different stores simultaneously -- and it's only through this method that that works.

Give this a shot! It has worked for our user. I'm just wondering if the user profile will break again... and I won't be surprised if it does. One step at a time though!

View in context

Similar questions

27 replies

mz_teddy Author

Level 1

8 points

Dec 2, 2020 6:30 AM in response to mz_teddy

Test i've made so far:

remove/rejoin from AD
recreate user account on macbook (renamed user dir -> user login -> create user folder)

The issue occur also on screen lock (if the user try to unlock outside office network).

Actually, if the user need the macbook outside, i've disabled system lock and he should never restart or power off the computer when out of office.

Jan 29, 2021 6:27 AM in response to 8leonn

My boss is not going to use that "workaround", if that's the only way, she will go back to use the Windows Dell laptop instead. The solution should be (as Windows does) to store the password hash locally and validate against this stored password when not connected to the domain.

Feb 10, 2021 12:16 PM in response to Scott Dye

ScottDye, i'm still unable to make this fail when testing.

have you found that this happens every time for your users' updating the pw?

are they connected directly to network when updating, or through vpn?

Feb 18, 2021 2:55 AM in response to mz_teddy

We have the same issue. Mobile account created during the first boot.

Initially we tested Big Sur on several MacBooks and we didn't had any problems.

One week after we installed Big Sur on all MacBooks some users couldn't login and got "account is locked" error.

Since the user can not connect to VPN before login to account we can't do anything about it.

Jan 14, 2021 4:24 PM in response to venicejeff

VeniceJeff,

did erasing and restoring solve the issue? Did you just do a time machine backup?

Jan 15, 2021 8:15 AM in response to venicejeff

venicejeff

Has erasing and restoring been successful? Did you just create a time machine backup and then restore the user from that?

I might be to this point in trying to figure out what's going on.

maro215

Level 1

4 points

Feb 27, 2021 9:21 AM in response to 8leonn

Tried this and it is not working.

Mar 11, 2021 2:48 PM in response to MikiVP026

so you left them unable to use a their computers?

Apr 29, 2021 12:39 PM in response to PaulCarmona

Jamf Pro here - Sending the Unlock user command has worked for us. It would seem the commonality is users upgrading to Big Sur without a domain connection.

jwit01

Level 1

4 points

May 11, 2021 4:18 AM in response to mz_teddy

I have the same issue with a single user on Catalina. Did anyone figure out a solution for this? Currently having them log in as local admin and connect to the VPN every time.

Ces_123

Level 1

12 points

Feb 15, 2021 9:28 AM in response to Scott Dye

We have the same situation, AD password change via users & groups panel whilst connected to network is triggering this for users on BigSur.

The same procedure always worked well for previous MacOS

Dec 29, 2020 8:57 AM in response to mz_teddy

I'm having this same problem right now as well.

I have an admin account on my box, and i'm able to login on that admin account. From there i can connect to my corporate VPN and then I can switch users and i'm able to sign into my account. Once i'm in my account i have to connect to my corporate VPN again and then I'm able to work.

Such a janky work around...

@Apple, please get this bug resolved.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

big sur - active directory logon without office network