Here's a question for you: when "John" logs into the machine, which account password works? The local account or domain account?

At any rate, I'm suspecting that only John's local account password works, not the domain account. I believe that local accounts are matched first, and then domain accounts. You might be able to edit the search order in the Directory Utility application, but don't quote me on that.

You can try asking the user to specify the domain as part of his login name: domainjohn, john@domain, etc. This might not be ideal for the user, but at least you can verify that the domain account actually works. Assuming there's no problem with the user's home directory because there is a "john" account in multiple domains, that is!

Yes, this makes sense. The way logins work is that the Mac will always default to the local node for an account login, then to external domains, like AD. If you have an account with the same name, there isn't a way for the OS to know by simply typing in "John" in the username field that you mean "John from AD" not "John in the local node" Since it found "John" in the /Local/Default node, it logs in to that account.

Off the top of my head, I can't really think of a way to fool the OS into logging in with an AD account if they are named the same. You're probably going to have to rename the local account to something else I think. Maybe someone else has a better idea though.

Thank you @mikeh & @mm2270

Yes, it's only allowing me to log in with the local account's password. When trying the domain account password, it gets rejected.
hmmmm.... My task is to migrated everyone off their local account and onto their domain account. This is going to be a blocker.

Thanks again :)

@Bernard.Huang It's possible to do what you're looking for, but you're likely going to have to script something, and maybe even make use of a one time LaunchDaemon.
The solution to this issue is that the local account needs to be deleted from the local domain (the home folder will not be touched) and then the AD account needs to be created using the createmobileaccount binary. When accounts are created with that binary they come from Active Directory, so they understand they are paired up with a directory account, not from the local node.
You can, in a script, pair up the user's existing home directory with their AD cached mobile account and when they log in that same home folder will get used.

If you need some guidance on how you might accomplish all this, post back and I can see about putting together a framework for this.
You could also do some searches on migrating from local to domain accounts here as I'm almost certain there are a couple of existing threads that talk about the process. One of them may give you the start you need.

So this is a fairly easy fix. Here are the steps:

1. Login with a local admin account


2. Go to "System Preferences --> Users and Groups"


3. Delete your account, but select the option to leave the home folder


4. In the Finder go to /Users/ and change the name of the deleted user folder from "user (Deleted)" to "user"


5. In the terminal enter the following command:


6. sudo chown -R user:"Domain Users" /Users/user/


7. Log out and log in as user with your domain password


8. You will need to sync your keychain password or delete the keychain

Will this work on Mac OS 12.5 intel based chipset?

Can you better explain step 6 using say a domain user jwick ?

Would it be: sudo chown -R jwick."Domain Users" /Users/user/