Jamf Nation Community

cwaldrip · ‎05-26-2015

I'm new to AD on the Mac, so maybe I'm missing something.

Local standard (ie non-admin) accounts can't seem to log into a machine after it has been bound to the domain. It doesn't matter how I bind the machine either - Casper or manually using Directory Utility.

The standard account works fine before I bind the machine. But after I bind the machine the user can't log in. If I remove the machine from the domain I still can't log in with the standard account.

Local admin accounts work. And I can su to a local standard user account.

I've checked Directory Utility and the search policy order is set with /local/default as the top option (can't change that I don't think).

Am I just missing something about local standard user accounts on machines bound to AD?

cwaldrip · ‎05-27-2015

And the answer is...
"Local-only users may log in" was not selected.

Which makes sense I guess. Without being checked admin users can still log in, which confused the issue. I was thinking that this would disallow network users from logging in - reading it as 'only allow local users to log in'.

Ta-dah! Grumble grumble grumble stupid admin.

View solution in original post

bentoms · ‎05-26-2015

@cwaldrip is the local user accounts short/user name the same as an AD account?

davidacland · ‎05-26-2015

Joining AD on a Mac shouldn't stop this from working. It just gives the Mac an additional source of users to check against when you enter a name and password at the login window.

The only scenario I can think of is that there is another user with the same name in AD and the login window is getting mixed up. As you saw in Directory Utility, OS X just works its way through the authentication list in order, although I have seen lots of odd symptoms if the same short name exists in two directories the Mac is joined to (i.e. local and AD).

There is also an available config profile in Casper that can restrict which users can log in. Its probably not that but worth ruling out anyway.

cwaldrip · ‎05-26-2015

Good points about the local username possibly being identical to a domain account. But I can't find any in the system. I thought I'd test an unlikely username (rumple) and that's not in the system either, but also didn't work.

I'm trying to grep the console log when a local account tries to log in and see if there are any clues there.

Update: And all I see in the console when I try and log in with a local standard account is...

5/26/15 5:24:54.295 PM SecurityAgent[1515]: User info context values set for testuser

cwaldrip · ‎05-27-2015

On a lark I decided to remove my test machine from the Casper system. Lo and behold... standard users can log in now. >.< So, I guess it is a Casper issue... and by Casper issue I mean Casper Administrator (me) issue. Off to look at my config prefs and managed prefs and stuff. I saw the log in restriction profile setting, but that's not configured. Nor does anything else seem to be the culprit. But trial and error is my next step. Grrr.

cwaldrip · ‎05-27-2015

And the answer is...
"Local-only users may log in" was not selected.

Which makes sense I guess. Without being checked admin users can still log in, which confused the issue. I was thinking that this would disallow network users from logging in - reading it as 'only allow local users to log in'.

Ta-dah! Grumble grumble grumble stupid admin.

bentoms · ‎05-29-2015

@cwaldrip Good detective work there sherlock!

We've all done stuff the same, so good on you for owning up!

ctarbox · ‎08-01-2017

I've been looking all over the JSS to find out where the 'Local-only users may log in' is so I can enable it. Can someone please point me in the right direction?

Thanks!

davidacland · ‎08-01-2017

@ctarbox it's in the Login Window payload for macOS configuration profiles:

ctarbox · ‎08-01-2017

NVM. I found it!

ctarbox · ‎08-01-2017

Yes, I just figured out where it was. Thanks for the quick reply, and now the location is posted for others.

Jamf Nation Community

OT: Local standard accounts can't login after binding to AD