forappie
Level 1 (25 points)

Q: After upgrading to Yosemite all accounts disabled

After I upgrade to Yosemite I can login once or twice before I get the message "Your account has been disabled. Contact your system administrator for more information". This applies to ALL 3 account (2x administrator and one standard account which I use most of the time). I have tried to reset the passwords, repaired permissions, repaired user ACL (by restarting in re3covery mode) but nothing seems to work.

 

After restoring from a Time Machine backup several weeks old and ensuring everything worked (10.9.5) I undertook a second attempt and even managed to upgrade to 10.10.1. However, after repairing disk permissions I had the same problem and all my accounts are disabled.

 

What can I do?

Mac Pro, OS X Yosemite (10.10.1)

Posted on Nov 23, 2014 11:12 PM

by forappie,Solvedanswer
forappie forappie
Level 1 (25 points)
A:

I finally cracked the problem after many tests and 2nd line Apple server support group in Ireland. The problems were caused by one or more 'rogue' password policies distributed by my Mac home server. These password policies were no issue on the Mavericks client but created havoc when I upgraded to Yosemite.

 

I had to take the following steps:

  1. Remove Yosemite client from ProfileManager running on (home) server. When your client is enrolled, ProfileManager can still remove the client even if you can't login yourself
  2. On the Yosemite client, enable root and create a new admin account (alternatively I could also re-run the Yosemite installer over the existing client installation as this unlocked all accounts for 1 or 2 restarts)
  3. Login with new admin account and disable root
  4. in terminal on the client with the new admin account execute 'sudo /usr/bin/pwpolicy clearaccountpolicies'. This responds with 'Clearing global account policies'. This is described in technical article HT203114 under slightly different circumstances but it worked for me.
    Note: it may be useful to run the following command before and after clearing the policies to see whether it worked: sudo /usr/bin/pwpolicy getaccountpolicies . This command shows the global account policies in force.
  5. before re-enrolling to the server delete the old password policy on the server (and replace by new policy). The new policy no longer shows the maxfailedAttempts rule which caused all the problems.
  6. re-enroll client to profile manager as required

 

These steps solved it for me. I have been using my Yosemite client now for 2 weeks without the issue returning.

 

For your information I also tried a number of other solutions which didn't work for me:

  1. Running the Yosemite installer over the existing Yosemite client with problems only allows 1 or 2 logins before the accounts get disabled
  2. backup/delete/restore Open Directory on the server ... after 1 or 2 restarts all accounts were disabled again
  3. even after starting with a clean Open Directory (I deleted the existing one and created one from scratch) the accounts still got disabled. This gave indication server must put some policies permanently on the client
  4. starting without network didn't make any difference (ie the password policy is present on the client to prevent accounts to login). Again this makes you think there are permanent policy rules on the client

Also note the 'pwpolicy clearaccountpolicies' option only exists in Yosemite, not Mavericks. see 'man pwpolicy' for details.

 

Pfffffttttttt

Posted on Jan 11, 2015 9:16 AM

Close
forappie

Q: After upgrading to Yosemite all accounts disabled

  • All replies
  • Helpful answers

Previous Page 2

  • by forappie,

    forappie forappie Dec 18, 2014 4:11 PM in response to forappie
    Level 1 (25 points)
    Dec 18, 2014 4:11 PM in response to forappie

    Disaster struck again. All help appreciated.

     

    I started to build a Yosemite image up from scratch and everything went fine for about a week. I even didn't copy my previous user preferences. However, tonight I ran into the same problems as before: all accounts become unaccessible at the same time! ("Your account has been disabled. Contact your system administrator for more information"). I'm now really getting desperate and very annoyed.

     

    Fortunately I can still access the boot volume and I have made an inventory of the non-standard software I installed sofar. Would anyone have a clue which might cause the problem?

     

    Apps I have installed so far:

    • 1Password 5.app
    • Adobe Digital Editions 4.0.app
    • Adobe Digital Editions.app
    • AppCleaner.app
    • AppZapper.app
    • arRsync.app
    • ClamXav.app
    • Divvy.app
    • DVDpedia.app
    • EtreCheck.app
    • Fantastical.app
    • ffmpegX.app
    • FileZilla.app
    • Firefox.app
    • Flip Player.app
    • HandBrake.app
    • Lingon X.app
    • MacUpdate Desktop.app
    • Microsoft Messenger.app
    • Microsoft Language Register.app
    • Microsoft Document Connection.app
    • Microsoft Excel.app
    • Microsoft Outlook.app
    • Microsoft PowerPoint.app
    • Microsoft Word.app
    • Solver.app
    • Equation Editor.app
    • Microsoft Alerts Daemon.app
    • Microsoft Chart Converter.app
    • Microsoft Clip Gallery.app
    • Microsoft Database Daemon.app
    • Microsoft Database Utility.app
    • Microsoft Graph.app
    • Microsoft Office Reminders.app
    • Microsoft Office Setup Assistant.app
    • Microsoft Query.app
    • Microsoft Upload Center.app
    • My Day.app
    • Office365Service.app
    • Open XML for Excel.app
    • SyncServicesAgent.app
    • Net Monitor.app
    • OnyX.app
    • OpenDNS Updater.app
    • Path Finder.app
    • Sonos.app
    • TechTool Pro 7.app
    • TimeMachineEditor.app
    • TrueCrypt.app
    • VLC.app
    • WD Security.app
    • Wuala-URL-loader.app
    • Wuala.app
    • nplastpass.app
    • Microsoft AutoUpdate.app
    • Microsoft Error Reporting.app
    • Microsoft Ship Asserts.app
    • nplastpass.app
    • Java Updater.app
    • LastPass.app
    • GrowlHelperApp.app
    • GrowlMenu.app
    • Perian - Open in QT Player.app
    • PerianUpdateChecker.app
    • TechToolProAgent.app
    • TechToolProDaemon.app
    • TechToolProStartup.app
    • FileZilla.app
    • WDSecurityHelper.app

  • by forappie,

    forappie forappie Dec 19, 2014 12:16 AM in response to forappie
    Level 1 (25 points)
    Dec 19, 2014 12:16 AM in response to forappie

    Since I have partitioned my Mac's internal disk and installed on one partition Mavericks and the second partition Yosemite, I can now inspect the logfiles of the failing Yosemite installation. The log file which attracted my attention was 'accountpolicy.log'. I could exactly see when it went wrong yesterday. Although not all at the same time but within a day all accounts get the following log entry

     

    Dec 19 00:22:55 (45.4) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

     

    My Mac is registered with a Mac OS X server at home via Profile Manager and when I read "ProfilePayload" this looks related to Profile Manager. I have indeed specified a maximum of 5 failed login attempts. However, I would expect this counter to revert to 0 each time you have a successful login. Can someone confirm what the behaviour I should expect?

     

    Since I registered my Mac earlier this week only, this might explain why the issue  started now and not earlier.

     

    I can change the policy myself but I'm not sure whether you have to be logged in for policies to be updated or whether simply starting up and having access to the login screen is sufficient.

     

    For completeness I'm also posting the last successful and first unsuccessful attempt:

     

     

    Dec 17 19:02:23 (45.10) SecondsUntilPasswordExpires completed: record "<<user1>>", result: never expires.

    Dec 17 19:02:27 (45.11) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:02:27 (45.12) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:02:27 (45.13) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:02:28 (45.14) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:04:20 (45.15) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:04:20 (45.16) AuthenticationAllowed completed: record "Guest", result: Success (0).

    Dec 17 19:04:20 (45.17) AuthenticationAllowed completed: record "<<admin1>>", result: Success (0).

    Dec 17 19:04:20 (45.18) AuthenticationAllowed completed: record "<<admin2>>", result: Success (0).

    Dec 17 19:04:21 (45.19) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 17 19:04:21 (45.20) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 17 19:04:21 (45.21) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 17 19:04:21 (45.22) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 Account Policy Helper agent starting

    Dec 18 17:20:17 (45.1) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 (45.2) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 18 17:20:17 (45.3) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 (45.4) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 (45.5) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 (45.6) AuthenticationAllowed completed: record "<<user1>>", result: Success (0).

    Dec 18 17:20:17 (45.7) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 18 17:20:17 (45.8) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:55 Account Policy Helper agent starting

    Dec 19 00:22:55 (45.1) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:55 (45.2) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:55 (45.3) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:55 (45.4) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:56 (45.5) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:56 (45.6) AuthenticationAllowed completed: record "<<admin2>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:56 (45.7) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:22:56 (45.8) AuthenticationAllowed completed: record "Guest", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:23:00 (45.9) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:23:00 (45.10) SecondsUntilPasswordExpires completed: record "<<user1>>", result: never expires.

    Dec 19 00:23:05 (45.11) AuthenticationAllowed completed: record "<<user1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:23:42 (45.12) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

    Dec 19 00:23:42 (45.13) SecondsUntilPasswordExpires completed: record "<<admin1>>", result: never expires.

    Dec 19 00:23:55 (45.14) AuthenticationAllowed completed: record "<<admin1>>", result: Failed Authentication Policy (-47102), Failed global policy "ProfilePayload:d3395090-1294-012f-4d37-482a1455fa5c:maxFailedAttempts".

  • by forappie,Solvedanswer

    forappie forappie Jan 11, 2015 9:16 AM in response to forappie
    Level 1 (25 points)
    Jan 11, 2015 9:16 AM in response to forappie

    I finally cracked the problem after many tests and 2nd line Apple server support group in Ireland. The problems were caused by one or more 'rogue' password policies distributed by my Mac home server. These password policies were no issue on the Mavericks client but created havoc when I upgraded to Yosemite.

     

    I had to take the following steps:

    1. Remove Yosemite client from ProfileManager running on (home) server. When your client is enrolled, ProfileManager can still remove the client even if you can't login yourself
    2. On the Yosemite client, enable root and create a new admin account (alternatively I could also re-run the Yosemite installer over the existing client installation as this unlocked all accounts for 1 or 2 restarts)
    3. Login with new admin account and disable root
    4. in terminal on the client with the new admin account execute 'sudo /usr/bin/pwpolicy clearaccountpolicies'. This responds with 'Clearing global account policies'. This is described in technical article HT203114 under slightly different circumstances but it worked for me.
      Note: it may be useful to run the following command before and after clearing the policies to see whether it worked: sudo /usr/bin/pwpolicy getaccountpolicies . This command shows the global account policies in force.
    5. before re-enrolling to the server delete the old password policy on the server (and replace by new policy). The new policy no longer shows the maxfailedAttempts rule which caused all the problems.
    6. re-enroll client to profile manager as required

     

    These steps solved it for me. I have been using my Yosemite client now for 2 weeks without the issue returning.

     

    For your information I also tried a number of other solutions which didn't work for me:

    1. Running the Yosemite installer over the existing Yosemite client with problems only allows 1 or 2 logins before the accounts get disabled
    2. backup/delete/restore Open Directory on the server ... after 1 or 2 restarts all accounts were disabled again
    3. even after starting with a clean Open Directory (I deleted the existing one and created one from scratch) the accounts still got disabled. This gave indication server must put some policies permanently on the client
    4. starting without network didn't make any difference (ie the password policy is present on the client to prevent accounts to login). Again this makes you think there are permanent policy rules on the client

    Also note the 'pwpolicy clearaccountpolicies' option only exists in Yosemite, not Mavericks. see 'man pwpolicy' for details.

     

    Pfffffttttttt

  • by Ty Davison,

    Ty Davison Ty Davison Feb 5, 2016 9:14 PM in response to forappie
    Level 1 (5 points)
    Feb 5, 2016 9:14 PM in response to forappie

    Absolutely a life-saver of a solution for me. Thank you very much!

Previous Page 2