Only one user cannot logon to all macs, but user can logon to all pcs

New Contributor

What would cause one person, and only one person's, login credentials to allow them to logon to any pc, but not allow that same person to logon to any mac, in an AD environment?

In addition, if you unplug any mac from the network and that same person (who has previously has logged onto that mac and has a mobile account created), CAN logon to the mac. Once you plug the network cable back into the mac, that person can not perform a basic task such as turning off the screen lock in system preferences. (as a task like this asks for the users credentials). That user can perform this task if not plugged into the network. (this is not an admin action. Any standard user can perform this task) The user can do tasks as long as the computer is not plugged into the network.

These macs can either have jamf installed or not have jamf installed. One mac we wiped out and immediately bound it to our domain.

The os's are from El cap to Mojave.

I ran verbose logging on a mac and surprisingly, there are no errors when it fails.It does have errors when another user tries to login with an invalid password. The domain controller has no errors when this user fails the login attempt. The mac just shakes its head no. It fails between 3-4 seconds. A user trying to login with an invalid account or password fails in about a minutes time.

How would you go about denying one persons login from logging in to macs only?


Valued Contributor III

There actually is a deny list somewhere in JAMF from memory (maybe in the AD binding part), so first place to check is there, I believe it can contain both users and groups. You can also set deny in a configuration profile under Login Window.
To me it sounds more like an AD issue of some type with the users account maybe a field that has an invalid value that is upseting macOS, there are a few things that are interpretted slightly different than Windows. I'd compare their AD record with one as close as possible in role that was known to work.

New Contributor

NTFS permissions on the parent share of the users network home folder can also cause login problems. Just a thought. Maybe they're missing a group membership that everyone else is in perhaps?

New Contributor II

One thing that we run into in our environment is that we have a tech that is unable to log in with his ID on a newly imaged machine... After investigation, it turns out that there is an identical ID in a different domain which is disabled.

Valued Contributor III

I would make sure that the user has a UID/GID configured in AD if you are mapping those attributes, since their absence will cause this behavior. I've also seen AD home drive mappings fail, and cause the logon to fail. I'd check those against other users for irregularities.

Contributor II

Is there a configuration profile present? There is an option to deny users and usergroups under the LoginWindow payload:


New Contributor

Hello everyone. Thank you for your help. Though it is still not fixed. I appreciate your suggestions. Some of the macs are not in JAMF and still deny the one user. One mac we wiped out and immediately bound it to our domain with no extra software, and no JAMF. This one also deny's this one users login. We do not have a configuration profile that deny's anything or anyone. But it was good to check. We've compared the affected user's profile to another's profile and I was told that the affected users AD profile has more rights than the comparable users profile and it would not adversely affect the non-working users login privileges.
There is no second ID with the same name of the profile.

All of these suggestions were great, but we still have this problem. This user has been using their login for 14 years. This happened all of a sudden.

Thank you so much for your help!

Valued Contributor III

Did you check permissions on their AD home drive? Possibly try reapplying them just to be sure. You could probably check this just by having them mount the home drive a local login, it should just prompt for credentials and if everything was right mount the drive.

New Contributor

Thanks. It's not a drive mapping problem. The user can smb to their network drive from another account or a local login. The user can get their drives from a pc when they login. The user can not login to any mac on campus.

Thanks, Chyrel

Valued Contributor

What happens if you try running the createmobileaccount binary from the command line? It might give you an error message that shines some light.

/System/Library/CoreServices/ -n [userid}.

Contributor III

Password with illegal characters (or created on a PC and doesn't macth the Mac keyboard)?

Contributor III

We have issues where a password will be acceptable to the domain, but fail on a Mac.

This is due to AD policy requiring complex characters not matching with the password profile options on macOS.

For example, AD requires two of either number, capital letter or special character but macOS requires a number, letter, and special character.

The fix is to either require Mac users have number, letter and special character or remove the min number of complex characters from macOS passcode requirement.

Contributor II

not sure if it helps, but we have been having this type of issue for a while now but is solved by making sure the user has an entry in the UNADGID field of AD, see the attached image where we made it 9000, which reflected other accounts of the same typeb82f300c8e634468b4e54b724f5eac24

for some reason, this field is not populated for some accounts

New Contributor

We don't think it could be the illegal characters as we have a test account with those characters as a password and that account works. The user has also changed their password as a test to see if that would get it working and that has not resolved the issue.

As for the UNADGID field of AD, our system administrators cannot locate, and do not know about it, that in our AD.

Thank you all for your suggestions. We still have not resolved this issue.

Contributor II

@Chyrel What do you map your Directory utility AD Bindings to? eg, ours are mapped to this specific attribute. Sorry, I should have clarified, these would be site-dependent.
This is the attribute you should be looking for in the AD account. If you compare a working account with this one you might find a difference between them.
Usually, if someone can log into Windows but no Mac devices then it will be something in AD stopping them and it might have something to do with those specific AD attributes you set in the binding of Mac Devices. Especially if it is ALL macs and no-one has any of the same issues.

Worse case you might need to delete the AD account and re-create it. this should resolve the issue.