Posted on 03-17-2014 08:51 AM
Hello,
I am trying to figure out why I am having a problem with the login window setting 'Name and password'. Our enrolled Macs are showing list of users at the login window, but are set to show name and password.
These Macs are joined to an ADS domain. As I understand it, domain bound Macs are supposed to show name and password at the login window. Ours do not.
In addition, the setting for 'Display login window as:' choices are greyed out. And it is set to Name and password.
I've also tried setting this through a Configuration, and MCX, and by writing to the com.apple.loginwindow plist, but nothing has changed. It still shows a list of users.
I added the extension attribute for Login Window - Username and Password Textboxes and the result I get back is:
Fail (Domain or Key Not Found)
I just set this attribute so I do not have results back from all systems, but so far, the one's that I do have the same result
Fail (Domain or Key Not Found)
Any suggestions for me?
Thanks.
Posted on 03-17-2014 09:38 AM
Are you using FileVault? Is it possible you're seeing the FileVault pre-boot authentication and not the OS login? The former is light grey, and pops up with just a couple seconds of powering on. The latter is dark grey, and takes a bit longer (depending on the model).
The FileVault screen is known to ignore the login window display preferences, and many of us have requested this particular enhancement from Apple.
Posted on 03-17-2014 09:44 AM
Sorry I should have mentioned that. No, the systems in question are not using FileVault. For testing I wiped two systems are reinstalled the OS. The third we just got from Apple. None are encrypted or have had FileVault enabled.
Thanks,
Aaron.
Posted on 03-17-2014 12:52 PM
How are you setting this preference? Configuration Profile? Managed Preferences? If you're enforcing this setting, what is the result of the following command:
defaults read "/Library/Managed Preferences/com.apple.loginwindow" SHOWFULLNAME
I suspect it's probably '0'/false. This is one command that many people often get confused because the setting itself is named in an ambiguous manner. You want to set this to 'true' in order to display username/password text boxes.
Posted on 03-17-2014 01:02 PM
Hi,
Well, first, I shouldn't have to set the preference upon binding to ADS as it is supposed to automatically be name and password. In addition, in System Preferences>Users & Groups it says it is set to Name and password. I did try to set it though, first I tried Configuration Profile, after that didn't work I tried MCX, and after than did work I tried writing the setting to the loginwindow plist file.
Output of the command you requested is '1'. But I still see the user list. And FileVault is not on.
Posted on 03-17-2014 01:29 PM
When you bind to ADS, it should change this setting to default to username/password dialog boxes, but it can still be changed back unless the setting is managed. It appears that something is trying to manage this setting, but the managed setting that you're reporting differs from the behavior you are seeing. Try running the following command to verify:
mcxquery -computerOnly
You should see an entry for "com.apple.loginwindow" and "SHOWFULLNAME" and it should be set to '1'. Also, check through any/all configuration profiles to make sure that this setting is not being set elsewhere. Make sure it's not set to true in one place and false in another.
Posted on 03-17-2014 01:43 PM
I have to catch my ride home soon but I will do this tomorrow morning. I will double check but I could not find anywhere I am setting this setting. It is confusing that this is happening.
Posted on 03-18-2014 05:14 AM
@Josh_S,
Result of command mcxquery -computerOnly:
{quote}
Error 'no data found' (-4584) running compositor for user: (null) group: (null) computer: = quote]
I re-ran the command defaults read /Library/Preferences/com.apple.loginwindows SHOWFULLNAME and result was '1'
Check my policies, Configurations, and Managed Preferences and could not find anything setting this value.
Even thought he value is already set I ran: sudo defaults write /Library/Preferences/com.apple.loginwindows SHOWFULLNAME 1 and then rebooted. No change, still see List.
Booted off recovery partition, formatted boot partition, and reinstalling OS. Before enrolling I will play round with the SHOWFULLNAME setting and see that changing the setting works. And then I will go from there.
I will also see if I can find anything (even though I have tried twice) in policy that could be interfering with this. SHOWFULLNAME is clearly set to 1 but it is not doing it so I don't really know what else is going on here that is altering this setting.
Posted on 03-18-2014 08:40 AM
If you're deploying configuration profiles, open them up with a text editor and look for "SHOWFULLNAME" or "loginwindow" and check all the settings. I'm obviously not 100%, but it "feels" like this could be the issue.
If the previous search turns up nothing, you've looked everywhere I would look. At this point, I would take things one step at a time. Image a machine. Bind to AD, but don't enroll with Casper so you don't get all of the management settings at once. Check relevant settings. Then I would start adding your configuration profiles one a time, manually, checking each time. Basically just walk the machine through the enroll process slowly, checking between each step to find what's controlling this setting. Casper itself won't change settings on the machine, but it will push down policies/managed preferences/configuration profiles that will.
It's tedious. But that really is the next step. If you had one machine doing this, I'd say it's an odd glitch. But if all your machines have this, some setting is getting pushed from somewhere.
Posted on 03-18-2014 08:46 AM
Thank you. I agree. I'm going to have to simplify and test at each step. Thanks, I'll post back if I find the issue.
Posted on 07-15-2014 06:51 PM
@aamjohns Hey did you ever get to the bottom of this? I have randomly been seeing this in my environment and it's driving me bananas! I have so many other things to do, I haven't had much time to dedicate to the hunt.
Posted on 07-16-2014 05:16 AM
@Kprice,
Hi, no I did not ever figure out what the problem is. It persists to this day. I've tried pretty much everything and no fix. I'd really like to figure out what is going wrong here. Thank you, Aaron.
Posted on 09-16-2014 03:47 PM
I just experienced this problem on a new Macbook Pro 15" (retina) after imaging.
First weird issue was it didn't bind to the domain (even though the thunderbolt-ethernet adapter was connected) so I had to do that manually.
Then, the login window settings were greyed out, it being stuck on "show list of users" instead of display name/password fields.
I am managing login window settings with a Managed Preference.
I'm not sure what actually ended up fixing it, but after I manually ran a Recon (sudo jamf recon) and rebooted, it had the correct login window settings.