login failed with user bind to Active Directory with a mobile account.

Question

rmathieu1974 Author

Level 1

4 points

login failed with user bind to Active Directory with a mobile account.

I have run to an issue...with password failing with User login with Active Directory Account on a computer bind to AD with Mobile Account configure.

It happened on Big Sur or Monterey.

Recently some of the mac users have reported that after a reset password, even if they are careful, this new password is not accepted and user cannot login.

To Test we use another account on the computer (local Administrator) and connect the VPN on the computer.

Then we switch to other account and we try to login with same username with the new password and it works.

However if you reboot the computer (which disconnect the VPN) and try login with same account, again the password is not accepted.

Anyone can help?

MacBook Pro 15″, macOS 11.6

Posted on Aug 23, 2022 2:03 PM

Reply

Answer 1

Top-ranking reply

Chris_V89

Community Specialist

Aug 24, 2022 1:05 PM in response to rmathieu1974

Hey there rmathieu1974,

Thanks for reaching out to the Apple Support Communities. To get started, since this is a mobile account used with Active Directory, did the user change the mobile account password with the steps shown in the following link under the "Changing a mobile account password" section: Active Directory and mobility on Mac - Apple Support

Changing a mobile account password

To change a mobile user account password on a Mac that’s bound to the directory service, open System Preferences, then click Users & Groups while the computer is connected to the directory service.

To verify connectivity to the directory service, click Login Options in the sidebar of the Users & Groups preference pane, then check the Network Account Server field. A green indicator means the directory service is available. Select the mobile user account in the sidebar, then click the Change Password button.

This process ensures that the user account password is changed in three locations:

- The remote directory service

- The locally cached credential store (/private/var/db/dslocal/)

- The user’s login keychain data store

The login keychain is an encrypted data store in the user’s home folder that contains sensitive information such as app and internet passwords, as well as user certificate identities. By default, the password to decrypt this data store is the same as the user account password, and it’s automatically unlocked at login.

If the network account password is changed while a Mac isn’t actively connected to the directory service, it’s only changed in the locally cached credential store. When the user reconnects to the directory service and logs in, the remote directory service is updated and the Mac is unable to unlock the login keychain. The user must provide the previous password and the new password to update the login keychain data store. If the user can’t provide the previous password, there’s an option to create a new login keychain.

With local-only accounts, a password policy can be applied with a configuration profile. This ensures organizational policy compliance while simplifying synchronization of the login keychain and the user account password.

If not, give those steps a try, and let us know if that's able to help.

Have a great day!

Reply

login failed with user bind to Active Directory with a mobile account.

Similar questions