Red Dot on Login Page

You may want to try altering the password interval for the AD bind. To do this, run this command on a bound and properly authenticating Mac:

sudo dsconfigad -passinterval 0

There has been a long standing issue with the default 14 day reset of the device password. Basically, a bound Mac will automatically refresh its random device password with the domain every 14 days (nearly to the second, provided the device is active). Ah, but the order or operations on the Mac appears to be (1) trigger a reset of the device password, (2) write it to the local drive, and then (3) attempt to send the updated password to the DC.

A problem occurs when the DC for what ever reason does not receive the new password. Now the bind configuration on the Mac does not match the computer record in the DC and the bind is not trusted. All future attempts are denied resulting in a failure to communicate with the DC for authentication. By setting the -passinterval to 0, you are telling the Mac never to refresh the bind password.

This is a huge issue with laptops as it is easy to predict that many of the devices may not be in contact with the DC when the 14 day timer expires. This will result in the device being untrusted when it returns to the LAN.

Also, this will have a side effect if you have observant domain admins. Searching AD for Mac records may reveal what appears to be stale records. If you are using automation to remove stale device records or if you have an admin who periodically "cleans house," inform the coworker to leave the Mac records alone. I usually guide clients to create a custom path on the DC for Mac device records. This dedicated OU allows us to isolate the Mac records and exclude them from any unwanted purges.

Having the devices hardwired is a good step as it reduces a lot of the variables associated with the mobility of laptops. But, as celliot147 stated, traditional binds are/have been out of favor with Apple for some time. Take a look at this from 2020 https://www.apple.com/tr/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

to get started. Note, I assume you have an MDM in place.

Hope this is helpful.

Reid

This dot indicates no network connectivity. AD backed accounts should be mobile accounts if used off network. If you can hard wire the devices to the network, you should be able to access the account.

That said, Apple has said binding to Active Directory is not best practice and is being deprecated in the near future in favor of platform SSO which will provide similar functionality but move away from binding.

Kerberos tickets can be deployed using MDM using the Kerberos SSO extension and should be used going forward along with local accounts, an external login tool such as JumpCloud, Jamf Connect, or NoMAD Login, or the Platform SSO extension.

They could be losing their Kerberos ticket. This causes the bind to still look active, but it won't be able to communicate. They could also be on a VLAN that is taking too long to reach the server.