Previous 1 2 3 4 Next 50 Replies Latest reply: Jan 15, 2014 6:03 PM by methodologist Go to original post
  • iamtheadman Level 1 (5 points)

    Just updated to 10.8.1 and it didn't solve the Active Directory mobile account issue. Just tested with our IT team and the AD account still locks after the first login attempt. So we continue to wait.

  • blayn Level 1 (0 points)

    Didn't solve it for me either. My machine isn't tied into the AD, instead it resides on the same network, and has only local accounts. Though I (used to) connect to SMB directories using AD login credentials everyday.


    I'm also getting locked out after the first attempt.

  • blayn Level 1 (0 points)

    I just found a workaround, well, sort of.


    -If I use the limited, non-admin account on the Mac(local, non-AD), I'm able to connect to SMB shares. No lockout, same exact credentials, just different local account.

  • AW139 Level 1 (0 points)

    Same problem here. After one password error account locked


    Mountain lion: 10.8.1

    Server: AD on Windows server 2008 R2

  • tedlee88 Level 1 (0 points)

    You guys can add me to the list.  Trying to configure 10.8.1 Mountain Lion Server to connect with our Active Directory server running Windows Server 2008 R2.  I can add a user, but cannot login after logoff.  Any ideas greatly appreciated

  • iamtheadman Level 1 (5 points)

    I am happy to report that I installed 10.8.2 and I am able to create a mobile account and not have it lock my Active Directory account. I have rebooted several times, with network connection and without, and it continues to work. I've also tested logging out, logging in to the Administrator account and then logging back into the AD account and it still works.


    I think Apple may have fixed the problem. Stragenly, there was no mention of Active Directory in the release notes.


    Please post other successes/failures here.



  • iamtheadman Level 1 (5 points)

    Actually, Apple does list it in the release notes.

  • Andrew Cunningham Level 2 (155 points)

    Sadly, 10.8.2 does not seem to fix the issue with AD primarygroupid mappings for us. We still cannot log in with users whose primarygroupid value is interpreted (incorrectly) as "-2", unless we manually map GID to primaryGroupID via Directory Utility.


    I suppose that we can continue with the policy of manually mapping this attribute, but I really wish that Apple would get this fixed!

  • Leafyseahobbt Level 1 (0 points)

    Hi, hoping there's still some people around to help me on this issue.


    I recently began experiencing issues with my MS Outlook 2011 for mac last week, after I upgraded to Mountain Lion. However I didn' t immediately notice an issue because the problem was specifically with my gmail. Gmail occasionally throws a tantrum and needs the Captcha to be unlocked anyway, as I often access email from a number of devices and gmail is paranoid about this being a potental threat.

    I have four email addresses collected by Outlook. These are a gmail, and two private domain emails (all these three are IMAP) and also a POP hotmail.

    So last Monday my two private emails stopped working as well, with the error message 'failed to authenticate, username or password incorrect etc etc' which keeps popping up no matter how many times I enter the password. Even when this happened I still didn't immediately blame ML as our domain was begin upgraded at the time and I thought it might be that.

    So, after unlocking the google captcha and confirming that the domain wasn't the problem, I've narrowed it down to either Outlook or ML. Then today, the POP hotmail failed in Outlook as well, which totally threw me as POP is almost indestructible.

    Also, the really confusing part is that the gmail and two domain emails stopped working at the same time on my iPhone, so that's clearly not an ML issue, and I've had iOS6 since day one and that was working fine until last week. On my iPhone I use the Mail app to collect all the ame email except the POP account.


    So I have tried:


    Unlocking the Captchas

    Deleting and redoing keychain passwords

    Confirming that all details are correct


    Gmail now works on the iPhone, but not on my Macbook.

    Domain emails don't work at all, and neither does the hotmail.


    Just to reiterate Outlook worked fine with all these accounts until last week.


    If anyone can offer any ideas that would be much appreciated - I've been without email for a week and it's killing me!



  • opentrail Level 1 (10 points)

    I have a similar issue where the wifi keeps dropping with Authentication Failure. The client has everything linked to AD but my Mac just has a local machine account. I do connect to a printer using an ip address.


    Very annoying and I hope Apple will fix this soon.

  • opentrail Level 1 (10 points)

    Thanks for the tip but this did nothing for me. Still drops the wifi with Authentication Failure. I have to switch the wifi off and on to continue.

  • ttle Level 1 (0 points)

    This method (from SSSnet Tech) does not work for me. When I try the "

    Check Map user GID to attribute primaryGroupID" , the login screen just bouncing twice after I enter my AD username & password and hit Enter. I had another post created for my issue. Bassically samething happens with cannot log into AD with a Mountain Lion machine. I had also captured the log. Please help me find out a solution for this.



    I appreciate all your help and time!



  • ttle Level 1 (0 points)

    Anyone know how to find the primarygroupID value in AD? I tried 513, which is the default one, but doesn't work. Please help!

  • scottpaigeng Level 1 (0 points)

    Has anyone looked into the Sync function once you create the Mobile account.... just by browsing around I noticed that this is syncing very frequently....just wonder if it attributes to the locking out of accounts in AD. I will be doing some test on a brand new macbook pro with my AD account. I have created the mobile account in the user and groups window rather than it making one automatically when a user logs in. will write up more notes as they come.

  • -Reece Level 1 (0 points)

    We ran into this issue today with a Mac user. I stumbled across this post and just thought I'd share what fixed it for us.


    Issue: When logging into a Mac (10.7.5 or 10.8.2) with User1, login would not prompt to create mobile account, or would just act like the password was wrong. With User2, it always worked as expected.


    After reading through this entire thread and trying a few extra steps, here's what we found.

    When running this command (run on a domain joined mac) we could get all the info on User1 and User2.

    Substitute YOURDOMAIN for whatever domain you are joined to and having issues with.

    dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user1

    dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user2


    Looking at the returned properties we noticed that User1 also had a sub-domain account in the forest appearing in output:





    and User2 (works) did not:



    What fixed it for us was to do one of the following solutions.


    Solution 1: Rename the Sub-domain user. Apparently Unix uses this username forest-wide, so when we joined the domain the default search policy would try "All Domains".

    This would result in the Sub.Domain user registering a "badPwdCount" property and eventually locking out the Sub.Domain\User1 account when logging into the mac as Domain\User1.

    The account would log in, but to a half-created home folder, and never prompt to create a mobile account.

    Once the Sub.Domain account was gone, the user immediately worked. You may need to wait for replication in a large Active Directory environment.


    Solution 2: Change the Search Policy in OSX to use one domain (instead of default All Domains).

    You have to un-check the "Allow authentication from any domain in the forest", apply, then go to Search Policy and specify the desired domain, and then remove "All domains"


    Either of these solutions resolved our "some users always work and other users always don't work" issue.

    Until today we hadn't figured out why it was happening to only a small number of users. It was isolated to users with the same User1 account in multiple domains in the forest.


    Hopefully this saves someone time :).