asked on
Need help on Macbook Pro login issue
Hi Expert,
I have a user which he changed password in windows (domain account), then he's unable to login to his Macbook Pro(High Sierra) with the old or new password, at the first places he keep trying the new password and get his domain account locked as check from backend, unlock it and use old pw does not work, it's due to not sync to the keychain. I, however, unable see any or the keychain with the domain admin login and local admin. I find no way to delete keychain, there is missing of Preferences-> General to reset the default keychain.
I used the mac reset password method and after I put the password for the Macintosh HD I am getting "This user has been temporarily locked. Try again later.
Appreciate if any expert can advise me on as I am not pro on MAC.
![Mac-pw-issue.PNG]()
I have a user which he changed password in windows (domain account), then he's unable to login to his Macbook Pro(High Sierra) with the old or new password, at the first places he keep trying the new password and get his domain account locked as check from backend, unlock it and use old pw does not work, it's due to not sync to the keychain. I, however, unable see any or the keychain with the domain admin login and local admin. I find no way to delete keychain, there is missing of Preferences-> General to reset the default keychain.
I used the mac reset password method and after I put the password for the Macintosh HD I am getting "This user has been temporarily locked. Try again later.
Appreciate if any expert can advise me on as I am not pro on MAC.
Mac OS X
Last Comment
xchiazyx
ASKER
Hi Sir,
Thank you for reverting back.
What is the root user compare to local admin account?
2&3 option does not work because it's a domain account and user won't go genius bar.
Thanks!
Thanks!
Thank you for reverting back.
What is the root user compare to local admin account?
2&3 option does not work because it's a domain account and user won't go genius bar.
Thanks!
Thanks!
The root user is a special admin user.
Once enabled, this user will show up in the user list for logins + is uid=0/gid=0 so is attributed special powers.
Other admin users are treated more like real users.
The root user is God on a machine. Best to avoid setting up root user to pull passwords from anywhere, else this can cause machines to brick if the directory/user lookup service is dead.
The way to handle this entire problem is usually fairly simple...
1) Hold down Command-S
2) Reboot
3) After reboot, you're running as root in single user mode.
At this point, you can do anything root can do.
Once in as root, enable root account to show up in multi-user mode + disable using Windows user lookup service for user with problem.
Then reboot in single user mode + login as root + fix problem.
Once enabled, this user will show up in the user list for logins + is uid=0/gid=0 so is attributed special powers.
Other admin users are treated more like real users.
The root user is God on a machine. Best to avoid setting up root user to pull passwords from anywhere, else this can cause machines to brick if the directory/user lookup service is dead.
The way to handle this entire problem is usually fairly simple...
1) Hold down Command-S
2) Reboot
3) After reboot, you're running as root in single user mode.
At this point, you can do anything root can do.
Once in as root, enable root account to show up in multi-user mode + disable using Windows user lookup service for user with problem.
Then reboot in single user mode + login as root + fix problem.
ASKER
Hi Sir,
Once I boot inside will I be able to see the user pw keychain? Need to remove it to actually solve.
Thanks!
Once I boot inside will I be able to see the user pw keychain? Need to remove it to actually solve.
Thanks!
TLDR: Connect the Macbook to a wired ethernet cable on the domain network. You'll be able to use the new domain password. To Avoid this in the future, Mac users on the domain should be changing their password from the Mac, while it's connected to the domain network.
Long explanation:
If you were away from the domain, and haven't connected to the domain network after you change the Domain credential, then the old password will continue to work on the MacBook, until you connect to the domain. Windows laptops do the same thing, but unlike Macs, the WiFi can remain enabled when you're not logged in.
When you have a domain joined WiFi connected MacBook, you should change the password from the MacBook. The problem with the Mac laptops is that they aren't connected to the WiFi network until you attempt to log in. When you change the domain account from Windows, the password gets changed before it can update to the Mac.
Before you type in the password, the wifi is not turned on yet, so the old password credential is cached for the mobile account. You must use the old password to initiate the login to turn on the WiFi to connect to the network. The moment you turn on the wifi, the domain rejects the old, incorrect domain password. This prevents the account from logging in. The mac still retains the old password credentials of the mobile account. The new password doesn't work on he Mac yet, because that doesn't match the cached credential.
P.S
Single user mode password resets is the old way to get into OS X. You should boot into Recovery mode (command r) and reset the password that way. If you're not a command line person, don't use the Single user mode; use the Recovery mode password reset. It's easier and has fewer steps.
P.P.S. @David
Do not tell people to enable the root user password. That's not how OS X or Ubuntu is supposed to work. They're supposed to use sudo and ssh keys. The root account is enabled without a password for security. Don't break the OS X and Ubuntu security model to use the older fashioned Redhat server model of root access. This is a User OS, and should not have root passwords enabled. You can become root without the root password. Stop using old Redhat methods on Ubuntu and OS X. You're going to get regular, non-unix savvy users into trouble. Enabling direct access to root is just going to cause problems for them. Redhat users use root, because it's more used as a server by sysadmins. (People that are supposed to know unix, but I would still force sudo on the junior admins for better password security. Even AWS forces sudo as the default on their linux instances. Nobody should really su or ssh to root these days.)
Long explanation:
If you were away from the domain, and haven't connected to the domain network after you change the Domain credential, then the old password will continue to work on the MacBook, until you connect to the domain. Windows laptops do the same thing, but unlike Macs, the WiFi can remain enabled when you're not logged in.
When you have a domain joined WiFi connected MacBook, you should change the password from the MacBook. The problem with the Mac laptops is that they aren't connected to the WiFi network until you attempt to log in. When you change the domain account from Windows, the password gets changed before it can update to the Mac.
Before you type in the password, the wifi is not turned on yet, so the old password credential is cached for the mobile account. You must use the old password to initiate the login to turn on the WiFi to connect to the network. The moment you turn on the wifi, the domain rejects the old, incorrect domain password. This prevents the account from logging in. The mac still retains the old password credentials of the mobile account. The new password doesn't work on he Mac yet, because that doesn't match the cached credential.
P.S
Single user mode password resets is the old way to get into OS X. You should boot into Recovery mode (command r) and reset the password that way. If you're not a command line person, don't use the Single user mode; use the Recovery mode password reset. It's easier and has fewer steps.
P.P.S. @David
Do not tell people to enable the root user password. That's not how OS X or Ubuntu is supposed to work. They're supposed to use sudo and ssh keys. The root account is enabled without a password for security. Don't break the OS X and Ubuntu security model to use the older fashioned Redhat server model of root access. This is a User OS, and should not have root passwords enabled. You can become root without the root password. Stop using old Redhat methods on Ubuntu and OS X. You're going to get regular, non-unix savvy users into trouble. Enabling direct access to root is just going to cause problems for them. Redhat users use root, because it's more used as a server by sysadmins. (People that are supposed to know unix, but I would still force sudo on the junior admins for better password security. Even AWS forces sudo as the default on their linux instances. Nobody should really su or ssh to root these days.)
ASKER
Sorry forget to close this question, much appreciated, slove by changing lan port, certain lan port the backend did configure something which is not suitable for update and sync, so i help user change password from AD wait for 24 hour to end the lockout and able to log in. Thanks all for the kind support.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
1) Locks last 24 hours, so you can just wait 24 hours + try again. This may or may not work.
2) You can contact Apple Account Reset Support for faster assistance.
3) You can take the Mac into your nearest Genius Bar.
Tip: Once you get this Mac unlocked, enable to the root user + set a root password. This if problems arise in the future, you can login as root to complete any action required.
Tip: If you have multiple Macs which might end up in this same state, best setup root user on all these Macs.