Jamf Nation Community

ifbell · ‎10-27-2017

I have a test machine bound to AD using the native tools and I am VPNing into my network.. I have created a mobile account on the machine while attached to the VPN. The account shows up in the directory utility and shows all the AD parameters, under local users. It shows up in users and groups as mobile managed. If I restart to log in the account just shakes at me. Which tells me that the account has not cached the network credentials yet. I have also made the account an admin from the command line.
What I am trying to do is while using a local admin account on this same machine and staying on the VPN log into the newly created account to finish the account creation. The mobile account I created has it home directory but I cannot log into it yet because the credentials have yet to cache. If I attempt from the terminal to do a login as it will not accept the password. I have tried SSHing via loopback and that also does not work it keeps asking for my password.

andrew_nicholas · ‎10-27-2017

Just a thought, but can you try making a user diretory on a machine on your network, copy the entire thing to the target machine and then chmod/chown with the local credentials?

alexjdale · ‎10-27-2017

What has always worked for me was logging in with a local account, connecting to the VPN, then user-switching and performing a login with the network account at the login window. The VPN stays active and the account is created/cached as normal.

That probably won't work for all VPNs.

joshuasee · ‎10-27-2017

Alternately, log into an existing account, start VPN, and in terminal and run:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -vn directoryusername -P

You'll be prompted for your password, then that of the directory user. After that, their password is cached and they can log into the GUI with or without VPN.

If a mobile account is already built, the process is even simpler:

login directoryusername

If the rest of the structure for a mobile account is there, logging the person in on the command line while communicating with the directory server will cache the password.

ifbell · ‎10-30-2017

I have been doing the following while on VPN

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -vn directoryusername -P

to create the account

I made the newly created AD account an admin using

sudo dscl . -append /Groups/admin GroupMembership directoryusername

When I attempt to do the login directoryusername while on the VPN I am getting back login directoryusername
Login incorrect

when I restart and I attempt to login I get the spinning gear for a while and then the login shakes at me. Somehow the mobile account is not retaining the cached credentials for first login without the VPN. Nor is it allowing me to login to the terminal.

mm2270 · ‎10-30-2017

Don't use dscl . -append to add an account to the admin group. You should be using dseditgroup.

dseditgroup -o edit -a directoryusername admin

Jamf Nation Community

Creating a local network user without a VPN connection.