Network user account can not login

vertoau
New Contributor II

Our company is mainly a windows environment but we have taken on a single macbook pro with OS X 10.14.6. When it was initially setup I created a local administrator account then a second admin account for the user that I then bind to our windows active directory network. For 6 months everything has worked fine until this past network password change. I'm not sure what the user did in the process but we can no longer start the macbook and him just login. We get password locked errors and have to try again in 15 minutes now. For him to get in, I have to login as the local admin first, then logout and then his password works. I can change his password from the mac and it changes it in AD but still will not allow him to login from startup
I have tried unbinding, rebooting, binding, rebooting and that has not fixed the problem.
I have tried resetting the keychain with the new password and that hasn't fixed it either. I've not had much exposure with macbooks other than this one device so please go easy on me with the troubleshooting ideas.

1 ACCEPTED SOLUTION

klindas
New Contributor II

Are you using FileVault by chance? It sounds like the FileVault password is out of sync. You may need to remove and then re-add the user to FileVault. The easiest way I've done this is through the terminal (you could also turn off filevault and then turn it back on, but that takes longer).

Log in with the local admin account and open a Terminal window. Type sudo fdesetup list and you can verify who has the ability to unlock FileVault. The user should be in this list. Type sudo fdesetup remove -user <UserName> where <UserName> is the user's username without the brackets. You may need to provide the local admin password. The user will be removed from FileVault and you can type sudo fdesetup list again to verify. Type sudo fdesetup add -usertoadd <UserName> where <UserName> is the user's username without the brackets. When it says "Enter the user name:" enter the local admin username. When it says "Enter the password for user '<LocalAdminUsername>':" enter the local admin password. When it says "Enter the password for the added user '<UserName>':" have the user enter their current AD password. This should re-sync the passwords and let the user log back in.

To understand the issue (if it is, in fact, the issue I'm thinking of), the reason this is happening is because after bootup, when you enter credentials to log in, they are first used to unlock FileVault. When the user changed his password, he likely didn't use the Change Password feature in System Preferences > Users & Groups. This happens at my company a lot. The FileVault password then becomes out of sync with the network password. However once you log in with the local admin password, FileVault is then unlocked and the user is then able to log in and out as much as they wish until the machine is rebooted. I've had mixed luck with getting them back in sync by simply resetting the password in System Preferences. But the steps above usually always work.

View solution in original post

3 REPLIES 3

merps
Contributor III

Sounds to me like the user account is fine but the FileVault password has gotten out of sync. At boot, the first password set for this user on the Mac probably still works.

klindas
New Contributor II

Are you using FileVault by chance? It sounds like the FileVault password is out of sync. You may need to remove and then re-add the user to FileVault. The easiest way I've done this is through the terminal (you could also turn off filevault and then turn it back on, but that takes longer).

Log in with the local admin account and open a Terminal window. Type sudo fdesetup list and you can verify who has the ability to unlock FileVault. The user should be in this list. Type sudo fdesetup remove -user <UserName> where <UserName> is the user's username without the brackets. You may need to provide the local admin password. The user will be removed from FileVault and you can type sudo fdesetup list again to verify. Type sudo fdesetup add -usertoadd <UserName> where <UserName> is the user's username without the brackets. When it says "Enter the user name:" enter the local admin username. When it says "Enter the password for user '<LocalAdminUsername>':" enter the local admin password. When it says "Enter the password for the added user '<UserName>':" have the user enter their current AD password. This should re-sync the passwords and let the user log back in.

To understand the issue (if it is, in fact, the issue I'm thinking of), the reason this is happening is because after bootup, when you enter credentials to log in, they are first used to unlock FileVault. When the user changed his password, he likely didn't use the Change Password feature in System Preferences > Users & Groups. This happens at my company a lot. The FileVault password then becomes out of sync with the network password. However once you log in with the local admin password, FileVault is then unlocked and the user is then able to log in and out as much as they wish until the machine is rebooted. I've had mixed luck with getting them back in sync by simply resetting the password in System Preferences. But the steps above usually always work.

vertoau
New Contributor II

Thank you klindas your instructions were correct and worked perfectly.