You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

big sur - active directory logon without office network

Hello,

one of my user recently updated to big sur his macbook pro.

From that moment he can't login outside office network; osx join an AD domain (win 2019 server) and we use AD account (mobile account is created on /User during the first login).

I also tryied to turn off the network, reboot (inside the office) and he was right, without our network, he has the error "account is locked".


We don't use JAMF.


We use the same setup from about 2005, never had this kind of issues (we also avoid upgrading osx before 9/10 months of testing)


Thanks

Posted on Nov 30, 2020 9:06 AM

Reply
Question marked as Top-ranking reply

Posted on Jun 11, 2021 4:17 PM

Wow, literally just resolved this on a whim. I have posted in this thread (https://discussions.apple.com/thread/252264961?answerId=252264961021&page=2) too, but here is a recap:

Based on this article (https://support.apple.com/en-ca/guide/directory-utility/ior6d33c187e/mac), the password needs to be updated in 3 different places. Re-joining the laptop to domain and purging the keychain did not help, but this did it.

- connect to the domain (ethernet cable preferred)
- go to System Preferences > Users & Groups > click on "Change Password" for the domain account (the affected user profile) > change your password
- verify the password is updated somehow -- "net user THEUSERNAME /domain" in Command Prompt -- or just wait a couple of minutes for the change to sync to AD
- disconnect from the domain (go offline with no WiFi connection)
- try logging back in with the newly changed password

The password needs to be updated in 3 different places, so deleting the user profile, resetting the keychain, or re-joining to domain, or whatever else you do will not be sufficient. On the Mac OS backend, it needs to find and update all 3 of those different stores simultaneously -- and it's only through this method that that works.


Give this a shot! It has worked for our user. I'm just wondering if the user profile will break again... and I won't be surprised if it does. One step at a time though!

Similar questions

27 replies

Feb 18, 2021 2:55 AM in response to mz_teddy

We have the same issue. Mobile account created during the first boot.

Initially we tested Big Sur on several MacBooks and we didn't had any problems.

One week after we installed Big Sur on all MacBooks some users couldn't login and got "account is locked" error.

Since the user can not connect to VPN before login to account we can't do anything about it.

Jun 11, 2021 1:20 PM in response to Bursy

@Bursy: The Fast User Switching method will only work if you sign in to VPN first. Once you're signed in to VPN, then you can switch users to log in your domain account -- the domain account's password should work from there. Hope that works for you!


--


Also, it seems like Big Sur 11.4 has bricked the domain account password again. We had a user that got a freshly-installed Big Sur laptop and had no issues -- but after upgrading to 11.4 Big Sur over a week ago, they weren't able to sign in.


When plugged in to the office network, they can log in. But when unplugged/off the network, they can't log in.

Tried to leave and re-join domain. Still the same issue. I really don't want to purge the profile if possible.


Mac and AD integration is just so frustrating.


Is Jamf really the only solution? Hah.


big sur - active directory logon without office network

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.