Only one user cannot logon to all macs, but user can logon to all pcs

There actually is a deny list somewhere in JAMF from memory (maybe in the AD binding part), so first place to check is there, I believe it can contain both users and groups. You can also set deny in a configuration profile under Login Window.
To me it sounds more like an AD issue of some type with the users account maybe a field that has an invalid value that is upseting macOS, there are a few things that are interpretted slightly different than Windows. I'd compare their AD record with one as close as possible in role that was known to work.

NTFS permissions on the parent share of the users network home folder can also cause login problems. Just a thought. Maybe they're missing a group membership that everyone else is in perhaps?

One thing that we run into in our environment is that we have a tech that is unable to log in with his ID on a newly imaged machine... After investigation, it turns out that there is an identical ID in a different domain which is disabled.

I would make sure that the user has a UID/GID configured in AD if you are mapping those attributes, since their absence will cause this behavior. I've also seen AD home drive mappings fail, and cause the logon to fail. I'd check those against other users for irregularities.

Is there a configuration profile present? There is an option to deny users and usergroups under the LoginWindow payload:

Hello everyone. Thank you for your help. Though it is still not fixed. I appreciate your suggestions. Some of the macs are not in JAMF and still deny the one user. One mac we wiped out and immediately bound it to our domain with no extra software, and no JAMF. This one also deny's this one users login. We do not have a configuration profile that deny's anything or anyone. But it was good to check. We've compared the affected user's profile to another's profile and I was told that the affected users AD profile has more rights than the comparable users profile and it would not adversely affect the non-working users login privileges.
There is no second ID with the same name of the profile.

All of these suggestions were great, but we still have this problem. This user has been using their login for 14 years. This happened all of a sudden.

Thank you so much for your help!
-Chyrel

Did you check permissions on their AD home drive? Possibly try reapplying them just to be sure. You could probably check this just by having them mount the home drive a local login, it should just prompt for credentials and if everything was right mount the drive.

Thanks. It's not a drive mapping problem. The user can smb to their network drive from another account or a local login. The user can get their drives from a pc when they login. The user can not login to any mac on campus.

Thanks, Chyrel

What happens if you try running the createmobileaccount binary from the command line? It might give you an error message that shines some light.

#!/bin/sh
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n [userid}.

Password with illegal characters (or created on a PC and doesn't macth the Mac keyboard)?

We have issues where a password will be acceptable to the domain, but fail on a Mac.

This is due to AD policy requiring complex characters not matching with the password profile options on macOS.

For example, AD requires two of either number, capital letter or special character but macOS requires a number, letter, and special character.

The fix is to either require Mac users have number, letter and special character or remove the min number of complex characters from macOS passcode requirement.

not sure if it helps, but we have been having this type of issue for a while now but is solved by making sure the user has an entry in the UNADGID field of AD, see the attached image where we made it 9000, which reflected other accounts of the same type

for some reason, this field is not populated for some accounts

We don't think it could be the illegal characters as we have a test account with those characters as a password and that account works. The user has also changed their password as a test to see if that would get it working and that has not resolved the issue.

As for the UNADGID field of AD, our system administrators cannot locate, and do not know about it, that in our AD.

Thank you all for your suggestions. We still have not resolved this issue.

@Chyrel What do you map your Directory utility AD Bindings to? eg, ours are mapped to this specific attribute. Sorry, I should have clarified, these would be site-dependent.
This is the attribute you should be looking for in the AD account. If you compare a working account with this one you might find a difference between them.
Usually, if someone can log into Windows but no Mac devices then it will be something in AD stopping them and it might have something to do with those specific AD attributes you set in the binding of Mac Devices. Especially if it is ALL macs and no-one has any of the same issues.

Worse case you might need to delete the AD account and re-create it. this should resolve the issue.