Fixing network user login problems on a Mac correctly bound to an AD or OD domain
In Mac OS X 10.6.x, it’s possible to set the login window to not allow network users to log into the computer, even when the Mac itself is correctly bound to the your Active Directory or Open Directory domain.
If you run across a machine that is correctly bound to your domain, but not allowing logins from network accounts, see below the jump for how to check if the login window has been set to not allow logins by network users.
1. Log in with your local administrator account. This should be a local user on the machine, so logins with this account should work OK.
2. Once logged in, open System Preferences.
3. In System Preferences, click on Accounts.
4. Once the window opens, unlock the settings by clicking on the lock in the bottom left corner of the window.
5. Once unlocked, click on Login Options.
6. If the login window is set to not allow network users, the Allow network users to log in at login window setting will be unchecked.
7. If unchecked, check the box next to Allow network users to log in at login window.
8. Next, click the Options… button next to the Allow network users to log in at login window setting and verify that the All network users option is selected. (If you need to set this for only certain network users, you can do this here by selecting Only these network users:).
9. Once you’ve verified that the All network users option is selected, click the Done button.
10. Quit out of System Preferences
11. Check to make sure the user can now log in.
These preferences can be set by the directory in a machine record for the computer. You can set this up in Workgroup Manager and is best for managing large numbers of machines.
If you turn on authenticated binding then you get a machine record in the the Directory for free when you bind.
Also handy for troubleshooting at the login window is enabling DSStatus, so you know if network accounts are available.
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
I accidentally* un-checked that and now cannot log in at all, even with the local admin account.
I can ssh into the machine with the local admin account, so is there a command line option to re-enable “Allow network users to log in at login window”?
*I didn’t mean to click on it, and the machine actually locked up when I un-checked it, so I wasn’t able to re-check it. I had to force shutdown, figuring I’d go back in with the local admin account.
I think that setting is stored in /Library/Preferences/com.apple.loginwindow.plist. Since you have SSH access, try running the following command and then restarting the machine:
sudo mv /Library/Preferences/com.apple.loginwindow.plist /Library/Preferences/com.apple.loginwindow.plist.backup
Hopefully, you should at least be able to log in with your local admin account then. Good luck!
That command should be all in one line.
Unfortunately, that didn’t work. It just changed the options for the login window itself (hiding the Restart and Shutdown keys, etc.)
Thanks anyway. I posted on the Apple Discussion boards. There’s got to be a way to set that option via a pref or config file somewhere.
Okay, I found the answer, thanks to this: https://discussions.apple.com/thread/2742121
Essentially, when you uncheck that it creates a group called com.apple.access_loginwindow with no members in it. So, to fix it, delete the group:
sudo dseditgroup -o delete -T group com.apple.access_loginwindow
The only problem is, now the “Allow network users” option isn’t even there (but it’s still allowing me to log in).
Hi Basically this is with respect to 10.8 Mountain Lion,i have selected the option allow only these users and selected some three users,those users are unable to login,but if i select All Network users then they can log in.