qvfps
asked on
Attaching Apple MacBook Pro to Windows AD
I am trying to integrate MacBook Pro's and Windows computers in to an Active Directory domain. I have a test network setup and I have managed to add Windows computers to the domain (no surprise there) and bind a MacBook Pro.
I have a GPO which sets the basic password security - Length, complexity, age etc and I am able to logon with a standard network account both on and offline and manage the MacBook using accounts in the MacAdmin group I setup. However I am having the following issues and I would appreciate any feedback with the exception of change to all Windows.
1) There is close to a minute delay after the logon prompt is displayed on the MacBook before network accounts are available to logon. This is not a huge deal unless it is the first time a user has logged on, the password has been changed in AD or "User must change password at next logon" has been checked in AD.
2) If a password change is required by AD and a user on the MacBook does not wait for the "Network Accounts Are Unavailable" message to go away and logs on with their cached credentials they receive a message that a password change is required. If you click ok or hit esc the message goes away but the logon to the MacBook never completes and they are left with a fuzzy screen and forced to power cycle the MacBook to get back to the logon prompt
3) If the password is changed in AD and "User must change password at next logon" is checked and a user on the MacBook does not wait for the "Network Accounts Are Unavailable" message to go away they can log on with their cached credentials. They receive a popup "Enter your name and password for the server "Servername" . If they enter their cached credentials it doesn't accept it. If they enter the new password set in AD it says a password change is required and the popup is re-displayed. Pressing escape exits the popup and logs the user on with their cached credentials.
4) After the MacBook has gone to sleep for an extended period I am unable to connect to network shares right away. It can take a few minutes to fully reconnect.
This test network is a standalone network with no access to the internet. I am running Windows 2016 with DHCP and DNS. I have set the DNS server and NTP server in DHCP to point to the Windows Server. The MacBook Pro is running High Sierra. I have connected the server and computers through a small 5 port switch.
I have noticed that the time is not exactly synced between the two. The NTP setting in DHCP does not do anything on the Mac. When I check time settings it is set to Apple Time. I have set the time on both to be within ~1 second but without being able to change the NTP setting on the Mac I not sure how to get if fully sync'd
Thanks for any suggestions.
I have a GPO which sets the basic password security - Length, complexity, age etc and I am able to logon with a standard network account both on and offline and manage the MacBook using accounts in the MacAdmin group I setup. However I am having the following issues and I would appreciate any feedback with the exception of change to all Windows.
1) There is close to a minute delay after the logon prompt is displayed on the MacBook before network accounts are available to logon. This is not a huge deal unless it is the first time a user has logged on, the password has been changed in AD or "User must change password at next logon" has been checked in AD.
2) If a password change is required by AD and a user on the MacBook does not wait for the "Network Accounts Are Unavailable" message to go away and logs on with their cached credentials they receive a message that a password change is required. If you click ok or hit esc the message goes away but the logon to the MacBook never completes and they are left with a fuzzy screen and forced to power cycle the MacBook to get back to the logon prompt
3) If the password is changed in AD and "User must change password at next logon" is checked and a user on the MacBook does not wait for the "Network Accounts Are Unavailable" message to go away they can log on with their cached credentials. They receive a popup "Enter your name and password for the server "Servername" . If they enter their cached credentials it doesn't accept it. If they enter the new password set in AD it says a password change is required and the popup is re-displayed. Pressing escape exits the popup and logs the user on with their cached credentials.
4) After the MacBook has gone to sleep for an extended period I am unable to connect to network shares right away. It can take a few minutes to fully reconnect.
This test network is a standalone network with no access to the internet. I am running Windows 2016 with DHCP and DNS. I have set the DNS server and NTP server in DHCP to point to the Windows Server. The MacBook Pro is running High Sierra. I have connected the server and computers through a small 5 port switch.
I have noticed that the time is not exactly synced between the two. The NTP setting in DHCP does not do anything on the Mac. When I check time settings it is set to Apple Time. I have set the time on both to be within ~1 second but without being able to change the NTP setting on the Mac I not sure how to get if fully sync'd
Thanks for any suggestions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try clearing the keychain and not saving a new password and see if that helps.
I have already setup all accounts to be mobile accounts. That is how the user is allowed to logon before the "Network Accounts Are Unavailable" message goes away. Without it there is close to a 1 minute delay while you wait for the network accounts to become available. Not using mobile accounts removes the problem of being able to logon before the new password is updated or expired but adds a delay in logging on and limiting users to only being able to logon while connected to the network. I know it doesn't sound that long but when you are staring at the logon prompt for a minute it feels like forever before you are able to logon.
I have already setup all accounts to be mobile accounts. That is how the user is allowed to logon before the "Network Accounts Are Unavailable" message goes away. Without it there is close to a 1 minute delay while you wait for the network accounts to become available. Not using mobile accounts removes the problem of being able to logon before the new password is updated or expired but adds a delay in logging on and limiting users to only being able to logon while connected to the network. I know it doesn't sound that long but when you are staring at the logon prompt for a minute it feels like forever before you are able to logon.
ASKER
I made two changes without testing each separately which drastically reduced the time before the "Network Accounts Are Unavailable" message goes away.
1) I connected the Windows Domain server to the Internet so I could synchronize time with an accurate time source
2) I removed the network account from the keychain.
After making those changes the delay is down to just a few seconds most of the time.
I will do some further testing and post any other results I find.
1) I connected the Windows Domain server to the Internet so I could synchronize time with an accurate time source
2) I removed the network account from the keychain.
After making those changes the delay is down to just a few seconds most of the time.
I will do some further testing and post any other results I find.
https://derflounder.wordpress.com/2015/04/09/creating-mobile-accounts-using-createmobileaccount-is-not-working-on-os-x-10-10-3/