Home > Active Directory, Mac administration, Mac OS X > Fixing network user login problems on a Mac correctly bound to an AD or OD domain

Fixing network user login problems on a Mac correctly bound to an AD or OD domain

In Mac OS X 10.6.x, it’s possible to set the login window to not allow network users to log into the computer, even when the Mac itself is correctly bound to the your Active Directory or Open Directory domain.

If you run across a machine that is correctly bound to your domain, but not allowing logins from network accounts, see below the jump for how to check if the login window has been set to not allow logins by network users.

1. Log in with your local administrator account. This should be a local user on the machine, so logins with this account should work OK.

2. Once logged in, open System Preferences.

3. In System Preferences, click on Accounts.

4. Once the window opens, unlock the settings by clicking on the lock in the bottom left corner of the window.

5. Once unlocked, click on Login Options.

6. If the login window is set to not allow network users, the Allow network users to log in at login window setting will be unchecked.

Screen shot 2011-07-13 at 4.22.33 PM

7. If unchecked, check the box next to Allow network users to log in at login window.

Screen shot 2011-07-13 at 4.22.15 PM

8. Next, click the Options… button next to the Allow network users to log in at login window setting and verify that the All network users option is selected. (If you need to set this for only certain network users, you can do this here by selecting Only these network users:).

Screen shot 2011-07-13 at 4.24.55 PM

9. Once you’ve verified that the All network users option is selected, click the Done button.

10. Quit out of System Preferences

11. Check to make sure the user can now log in.

  1. July 13, 2011 at 10:05 pm

    These preferences can be set by the directory in a machine record for the computer. You can set this up in Workgroup Manager and is best for managing large numbers of machines.
    If you turn on authenticated binding then you get a machine record in the the Directory for free when you bind.

  2. July 13, 2011 at 10:06 pm

    Also handy for troubleshooting at the login window is enabling DSStatus, so you know if network accounts are available.

    defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus

  3. August 1, 2011 at 7:56 pm

    I accidentally* un-checked that and now cannot log in at all, even with the local admin account.

    I can ssh into the machine with the local admin account, so is there a command line option to re-enable “Allow network users to log in at login window”?

    *I didn’t mean to click on it, and the machine actually locked up when I un-checked it, so I wasn’t able to re-check it. I had to force shutdown, figuring I’d go back in with the local admin account.

    • August 1, 2011 at 8:07 pm

      I think that setting is stored in /Library/Preferences/com.apple.loginwindow.plist. Since you have SSH access, try running the following command and then restarting the machine:

      sudo mv /Library/Preferences/com.apple.loginwindow.plist /Library/Preferences/com.apple.loginwindow.plist.backup

      Hopefully, you should at least be able to log in with your local admin account then. Good luck!

      • August 1, 2011 at 8:08 pm

        That command should be all in one line.

  4. August 1, 2011 at 8:34 pm

    Unfortunately, that didn’t work. It just changed the options for the login window itself (hiding the Restart and Shutdown keys, etc.)

    Thanks anyway. I posted on the Apple Discussion boards. There’s got to be a way to set that option via a pref or config file somewhere.

  5. August 1, 2011 at 10:35 pm

    Okay, I found the answer, thanks to this: https://discussions.apple.com/thread/2742121

    Essentially, when you uncheck that it creates a group called com.apple.access_loginwindow with no members in it. So, to fix it, delete the group:

    sudo dseditgroup -o delete -T group com.apple.access_loginwindow

    The only problem is, now the “Allow network users” option isn’t even there (but it’s still allowing me to log in).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 167 other followers

%d bloggers like this: