Help

Imaging Computers - Active Directory and Directory Utility

moojomoore
New Contributor III

Posted on ‎08-25-2017 09:42 AM

Hello, we have been imaging computers here with 10.12.6 for quite some time now with success and we went through a new batch of computers today to get ready for our 7th graders and have run into an AD issue. Anytime we log in we are getting an error stating that "You are unable to log in to the user account "student.name" at this time. Logging in to the account failed because an error occurred." We have not seen this message before until we started to image these computers. We have been able to get them to work by unbinding and re-binding the computer but that becomes a hassle when we have these many computers to do.

One thing that I noticed on these computers that fail to log in, they do not have directory utility on the computer. However, every computer we have imaged before grade 7 does have directory utility. We have not changed anything in our image, so I'm wondering if someone has some ideas of what we can do to resolve this issue or a workaround. My biggest concern is that by not having directory utility on the computer, it could bite us in the butt down the road. Our JSS is on 9.100.

Any help is greatly appreciated!

Labels:
0 Kudos
2 REPLIES 2

MacTool
New Contributor II

Posted on ‎08-29-2017 01:42 PM

Did you check /System/Library/CoreServices/Applications/ for the Directory Utility?

Also, check the date and time on your re-imaged machines and make sure the date/time and time zone matches your Active Directory Domain Controllers after imaging. You should be able set the domain as the time server to ensure it's within the +/- 5 minute threshold for Kerberos authentication if that's the issue. But if you're able to unbind and rebind, it might not be.

0 Kudos

MartinB
New Contributor II

Posted on ‎08-31-2017 12:23 AM

We had a similar problem with AD logins on 10.12.6 imaged computers, too, and I'm not a AD expert. Our AD admin told me only that 'everything's working fine'. I only got it to work on macOS 10.12.6 for our environment by changing the following AD settings under 'Administrative' in the Directory Utility:

  • Check 'Prefer this domain server: <name.of your.domainserver>

  • Uncheck 'Allow authentication from any domain in the forest'
    (Both settings can be configured in the 'Directory Bindings' setting under 'Computer Management' on the JSS).

  • Under 'Search Policy' remove 'All Domains' and replace it with your domain.

  • Test the connection under 'Directory Editor'. Some computers had to be unbound before and bound again with the new settings to get the login to work.

34c51484b34a45659088ecb0f6579ba1
aa03b759de0a49b99c91649c8576bf15
7769163a538e478c83e1d37d0ac2f3af

0 Kudos