Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: forappie
forappie Author
User level: Level 1
36 points

After upgrading to Yosemite all accounts disabled

After I upgrade to Yosemite I can login once or twice before I get the message "Your account has been disabled. Contact your system administrator for more information". This applies to ALL 3 account (2x administrator and one standard account which I use most of the time). I have tried to reset the passwords, repaired permissions, repaired user ACL (by restarting in re3covery mode) but nothing seems to work.


After restoring from a Time Machine backup several weeks old and ensuring everything worked (10.9.5) I undertook a second attempt and even managed to upgrade to 10.10.1. However, after repairing disk permissions I had the same problem and all my accounts are disabled.


What can I do?

Mac Pro, OS X Yosemite (10.10.1)

Posted on Nov 23, 2014 11:03 PM

Reply
18 replies
User profile for user: forappie
forappie Author
User level: Level 1
36 points

Dec 19, 2014 12:16 AM in response to forappie

Since I have partitioned my Mac's internal disk and installed on one partition Mavericks and the second partition Yosemite, I can now inspect the logfiles of the failing Yosemite installation. The log file which attracted my attention was 'accountpolicy.log'. I could exactly see when it went wrong yesterday. Although not all at the same time but within a day all accounts get the following log entry


Dec 19 00:22:55 (45.4) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".


My Mac is registered with a Mac OS X server at home via Profile Manager and when I read "ProfilePayload" this looks related to Profile Manager. I have indeed specified a maximum of 5 failed login attempts. However, I would expect this counter to revert to 0 each time you have a successful login. Can someone confirm what the behaviour I should expect?


Since I registered my Mac earlier this week only, this might explain why the issue started now and not earlier.


I can change the policy myself but I'm not sure whether you have to be logged in for policies to be updated or whether simply starting up and having access to the login screen is sufficient.


For completeness I'm also posting the last successful and first unsuccessful attempt:



Dec 17 19:02:23 (45.10) SecondsUntilPasswordExpires completed: record "<<user1>>", result: never expires.

Dec 17 19:02:27 (45.11) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:02:27 (45.12) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:02:27 (45.13) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:02:28 (45.14) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:04:20 (45.15) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:04:20 (45.16) AuthenticationAllowed completed: record "Guest", result: Success (0).

Dec 17 19:04:20 (45.17) AuthenticationAllowed completed: record "<<admin1>>", result: Success (0).

Dec 17 19:04:20 (45.18) AuthenticationAllowed completed: record "<<admin2>>", result: Success (0).

Dec 17 19:04:21 (45.19) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 17 19:04:21 (45.20) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 17 19:04:21 (45.21) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 17 19:04:21 (45.22) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 Account Policy Helper agent starting

Dec 18 17:20:17 (45.1) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 (45.2) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 18 17:20:17 (45.3) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 (45.4) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 (45.5) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 (45.6) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

Dec 18 17:20:17 (45.7) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 18 17:20:17 (45.8) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:55 Account Policy Helper agent starting

Dec 19 00:22:55 (45.1) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:55 (45.2) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:55 (45.3) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:55 (45.4) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:56 (45.5) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:56 (45.6) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:56 (45.7) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:22:56 (45.8) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:23:00 (45.9) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:23:00 (45.10) SecondsUntilPasswordExpires completed: record "<<user1>>", result: never expires.

Dec 19 00:23:05 (45.11) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:23:42 (45.12) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Dec 19 00:23:42 (45.13) SecondsUntilPasswordExpires completed: record "<<admin1>>", result: never expires.

Dec 19 00:23:55 (45.14) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

Reply
User profile for user: forappie
forappie Author
User level: Level 1
36 points

Jan 11, 2015 9:16 AM in response to forappie

I finally cracked the problem after many tests and 2nd line Apple server support group in Ireland. The problems were caused by one or more 'rogue' password policies distributed by my Mac home server. These password policies were no issue on the Mavericks client but created havoc when I upgraded to Yosemite.


I had to take the following steps:

  1. Remove Yosemite client from ProfileManager running on (home) server. When your client is enrolled, ProfileManager can still remove the client even if you can't login yourself
  2. On the Yosemite client, enable root and create a new admin account (alternatively I could also re-run the Yosemite installer over the existing client installation as this unlocked all accounts for 1 or 2 restarts)
  3. Login with new admin account and disable root
  4. in terminal on the client with the new admin account execute 'sudo /usr/bin/pwpolicy clearaccountpolicies'. This responds with 'Clearing global account policies'. This is described in technical article HT203114 under slightly different circumstances but it worked for me.
    Note: it may be useful to run the following command before and after clearing the policies to see whether it worked: sudo /usr/bin/pwpolicy getaccountpolicies . This command shows the global account policies in force.
  5. before re-enrolling to the server delete the old password policy on the server (and replace by new policy). The new policy no longer shows the maxfailedAttempts rule which caused all the problems.
  6. re-enroll client to profile manager as required


These steps solved it for me. I have been using my Yosemite client now for 2 weeks without the issue returning.


For your information I also tried a number of other solutions which didn't work for me:

  1. Running the Yosemite installer over the existing Yosemite client with problems only allows 1 or 2 logins before the accounts get disabled
  2. backup/delete/restore Open Directory on the server ... after 1 or 2 restarts all accounts were disabled again
  3. even after starting with a clean Open Directory (I deleted the existing one and created one from scratch) the accounts still got disabled. This gave indication server must put some policies permanently on the client
  4. starting without network didn't make any difference (ie the password policy is present on the client to prevent accounts to login). Again this makes you think there are permanent policy rules on the client

Also note the 'pwpolicy clearaccountpolicies' option only exists in Yosemite, not Mavericks. see 'man pwpolicy' for details.


Pfffffttttttt

Reply

After upgrading to Yosemite all accounts disabled

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up