Solved

Mac OSX (10.9) bound to AD but cannot login using domain credentials for the first time using wireless

Posted on 2013-12-05
1
24,667 Views
Last Modified: 2013-12-10
I successfully connected my Macbook to my AD domain but I'm not able to login to it using domain credentials.  The Mac doesn't have a hard wired connection, only wireless.  I've seen this on the Windows side too for tablets and other pc's that don't have wired network connections.  For the PCs, I have to connect to the wireless under the local admin account (join the domain) and then switch user (not log off) so that the wireless is still connected to the network and I can log in for the first time to create the profile and cached pwd.  I do see the Mac computer account in AD so I think it is bound correctly.  If I had a network connection, I think it would work but since it's wireless only (and I don't have a wireless connection at the login screen), it can't see the domain.
0
Comment
Question by:vianceadmin
1 Comment
 
LVL 27

Accepted Solution

by:
serialband earned 500 total points
Comment Utility
It's a little more involved on the Mac.  You'll either need connect to a wired network with a Thunderbolt to Ethernet adapter or you'll have to prepare the account first.  Wireless connections on a Macbook are disabled until a user logs in.

Here's what I did to prepare a few Macs for Remote AD account access without knowing the users password.  I tested it first with some test accounts that I had the passwords to.

Log in as a local admin on the computer.  You'll need to be an admin to run sudo.

Make sure you set the Login Options under Users & Groups in the System Preferences enable the fast user switching menu

Start the Terminal (/Applications/Utilities/Terminal.app)

Add the account, USERNAME, as a mobile account to the computer so that you can use fast user switching.  You can't switch to the account if it doesn't exist in the menu.  It needs to be a mobile account or it will disappear from the account list when you're not on the network.  Use the following command in Terminal:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n USERNAME

Open in new window

Log out of the local admin account, then log back in for the account name to appear in the fast user switching menu.

At this point, make sure you're connected to the wireless network.  It may be necessary to enable your VPN, if you're connecting from a remote external site.  I tested this from home through a VPN too.

Select the AD user from the fast user switching menu in the upper right.  You will be prompted for the account password.  Enter the password to switch users and the credentials will be cached.  You are now logged in with 2 accounts, the local admin account and the domain account.  You will be able to log in with the AD account without a network connection, once you've cached the password credentials.  This will remain in effect until you are forced to change passwords by the domain controller.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now