Mac is bound to AD, but users cant log in

agerson
New Contributor III

We have a fleet of over 850 Macs. 99% of them operate just fine when bound to AD. However, every couple of weeks one stops allowing AD users to log in. The machine shows as bound to AD and the computer record for it exists in AD but the command

id someUsername

returns "No such user" for all AD users. Unbind and rebind fixes it.

What could cause a machine that was working and shows as currently bound to AD to stop being able to actually log users in and verify their existence? How can I troubleshoot it when it happens again?

5 REPLIES 5

spotmac
New Contributor III

Hey, i have this issue also with loosing ad bind and dsconfig still says i am bound to ad.
I use an EA to check if the computer connected to the Active Directory.

To date i don't know whats the reason for this problem.

#!/bin/bash

orgdomain="my.domain.corp.net"

ping -c 3 -o ${domain} 1> /dev/null 2> /dev/null

# If the ping was successful
if [[ $? == 0 ]]; then
    # Check the domain returned with dsconfigad
    domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
    # If the domain is correct
    if [[ "$orgdomain" == "${domain}" ]]; then
        # Check the id of a user
        id -u ADUSERAccount
        # If the check was successful...
        if [[ $? == 0 ]]; then
            echo "<result>Bound Correctly</result>"
        else
            # If the check failed
            echo "<result>Cannot communicate with AD</result>"
        fi
    else
        # If the domain returned did not match our expectations
        echo "<result>Incomplete bind</result>"
    fi

else
echo "<result>Not in range of a DC</result>"
fi

exit 0

MikeMcD
New Contributor II

I've run into the same thing running 10.13.6 on random machines. Rebind always fixes it. We bind with a config profile.

mschroder
Valued Contributor

The Macs that are bound to AD need to re-sync their passwords with AD from time to time. When they fail to do so (eg because they have been off or sleeping for too long) they can not talk anymore to the domain controller, and users can not log in.

When this happens the User & Groups Pref Pane shows the Mac as bound to your Network Account Server, but the line that should show whether or not network accounts are allowed to login is not present.

This was the most frequent reason for 'bound but not working' Macs. The fix consists of unbinding and rebinding in that case. Prevention: regular use or not allowing Mac to sleep.

spotmac
New Contributor III

I am note sure if its a problem with re-sync.
The default domain policy setting configures domain-joined computers to update their passwords every 30 days.
All my clients are connected every day and also the computer object was updated in AD.

MikeMcD
New Contributor II

Thanks for the info @mschroder We do leave our iMacs on later into the evening as that's when we pull some of our policies (outside 9-5). I'll look into the sleep issue and see if that solves it