Local user account on MAC locked out

NeilScholes
New Contributor II

Hello

I am having a reoccurring issue where students in a classroom when using JAMF Connect it states that their local account is locked out when trying to sign in.

If I find the MAC on JAMF Pro and go to Local user accounts and click manage on the locked out user I have the option to Unlock Account or Delete Account, the Unlock Account does not seem to unlock the user and the only method I have found that works is to Delete the account which is not ideal with student accounts who may not have backed up all their work.

Is there any other option or a script that could unlock that account?

Thank you

16 REPLIES 16

junjishimazaki
Valued Contributor

Since you use Jamf Connect, it's your IDP that it's connected to that controls the user's account. Can you unlock it from there?

NeilScholes
New Contributor II

Hello,

Sadly not, We use Connect with Azure and everything on Azure says the account is fine, they can log into a PC without any issues, they can use their mobiles to access outlook and Teams but the local account on the MAC is still showing as locked. I end up deleting their account from the MAC and then they can sign back in as it once again creates their local account on that MAC.

Thank you

junjishimazaki
Valued Contributor

That's very odd and doesn't make much sense since Jamf Connect which is configured with your Azure is what manages your user accounts even on Macs. Anyways, since you already deleted the account. Maybe next time booting to recovery mode and reset the user's password there. 

junjishimazaki
Valued Contributor

There is also this terminal command pwpolicy you can try on your own. 

pwpolicy -u USERNAME enableuser

If it works then you can create a script in Jamf and push the policy to the effected user's mac.

Thank you

I shall give the script a try and see if we have any luck, I have tried to reset the users password through recovery mode but when they try to sign in it still throws up the account is locked issue, they can sign into any other MAC in the classroom after been locked out of one with no issue it is that MAC only that will have an issue.

It is very frustrating lol

junjishimazaki
Valued Contributor

It seems your Jamf Connect isn't setup correctly if your IDP can't unlock the user's account on the computer. That's the whole point of using Jamf Connect is for your IDP to manage the user's account. My org uses Jamf Connect as well, and if the user's account gets locked out then we can unlock it from our IDP. Have you tested with another account when a user gets locked out?

I still have not had chance to try this as no one as locked them selves out, its just strange as it is MAC specific, they can use another MAC with no issue, it just appears to be that one MAC.

I have found that if I do the following they can sign in;
Reboot MAC in recovery mode
Go to terminal
In terminal enter resetpassword
Find the users account
Change password to match their password they use on Microsoft
Then restart the MAC and they can sign back in

-Cloud
New Contributor III

Hi @NeilScholes 

I am in the same boat as you, how does this work for you?

when I go into recovery menu I have to enter the user’s password to go any further or to display any other options but I only get the option to erase the Mac, choose WiFi network or forgot password - which I have done but no success.

 

Any help from yourself or anyone else for this issue will be grateful!

I just had Connect setup at work. On one of the Macs we used for testing, my Local account was locked. We used an admin account to reset the password of my user to match the one in MS/Azure. Worked as expected after that.  If the account is Mobile, I assume passwords are only handled through Azure. Maybe the recovery terminal reset still would work?

KMak84
Contributor

I am getting same issue
I have a number of Freelancers bouncing from machine to machine
The unlock command from Jamf does not do anything
What our Tech guys have to do is remote on > log in as Local Admin > then reset the account in question, to match the one in MS/Azure
Log out as local admin, they login all is good
But this is quite a hassle, is there something that

-Cloud
New Contributor III

We have had this issue twice already on two different Mac devices.  Both have not checked into JamfPro server for 2 months or so.

 

One way to get past this was to use the file vault encryption key found in jamfpro but because the Macs have not checked in for a while this was invalid.

 

the way @NeilScholes mentioned as above- to use terminal and reset password I cannot do as I still need to enter the user’s password who is locked out before getting any further in the Mac recovery environment.

 

so my only option was to rebuild the Mac which seems extreme for an account lock issue.  

Can anyone suggest otherwise?

Hi - I am writing to ask if you've found a solution to this issue. My employer has the same set up as what you described (jamf Connect & Azure), and I am facing the same exact issues (and have tried all the tricks mentioned here that you also tried). I have gotten locked out of two Macbooks at this point, without resolution. I appreciate any insight! 

-Cloud
New Contributor III

Hi, unfortunately not a solution really.

Just had to factory reset the Mac and start over.

MultiSiggloo
New Contributor II

You can use the FileVault Recovery Key from Jamf to unlock the disk and then run the "resetpassword" in terminal. 

-Cloud
New Contributor III

Not sure exactly why but the key was missing.  I can only think of because the Mac hasn’t checked into Jamf.

KMak84
Contributor

That I can understand

But my issue these are Desktops and they have been checking-in and not encrypted.