Sierra AD Account Lockout when setting up iCloud

I too can confirm that 10.12.3 beta seems to have fixed the account lockout issues.

10.12.3 seems to fix the issue in my shop too!

10.12.3b1 appears to have fixed this in our environment as well! w00t w00t!

I just want to pile on with the confirmations. I installed 12.3 Beta 1 yesterday afternoon and ever since I have failedLoginCount has displayed zero. I dump it every minute to a log file. Looks good.

Hopefully we won't have to wait too long for tis update to go live.

Does any know where I can get 10.12.3 beta? Two of my users are having the same issues. Thanks.

You need to have a registered developer account or be in the AppleSeed program.

@sjit I would not apply beta builds to general population users... for IT eyes only!

Pretty sure sure Apple's NDA prohibits non participants from installing the Beta. However Apple Enterprise have blessed applying a Beta build on an effected user, for troubleshooting purposes. The caveat was to clone effected computer so it isn't a production/business use computer.

So it looks like even after I signed out of icloud services, one of my users still keep on getting locked out. I do noticed imessage is still signed on even after I signed out of icloud. Should I sign out of that as well? Other than this, I really get figure out what is triggering the lock out.

Also ran 10.12.3 beta. It is working. No bad password counts. Can't wait for the update. :-)

When is this update coming out?

@jalcorn most of us with open cases have been told we will probably see the update in January, but even with that I've been told that's not a guarantee. I imagine (this is pure speculation based on past experiences, not inside knowledge, so I could be entirely wrong) that we'll see at least 1 or 2 more beta builds before a GM public release of 10.12.3.

While we wait for a public 10.12.3 release, has anyone found an effective workaround for this problem? I've tried the "Do not require Kerberos preauthentication" setting on AD accounts without luck.

Thanks to everyone who has contributed to this thread, to help work through a frustrating issue!

Honestly I just created an "Un-bind" item in Self Service and am having users unbind until the issue is resolved. No AD connectivity, no lock outs. There is an existing "AD Re-Bind" option so they can hop back on at the drop of a hat if needed for any purpose.

How did you create the "un-bind"?

#!/bin/sh

dsconfigad -force -remove -u notarealuser -p notarealpassword

We created a fine-grained password policy for users in an AD security group that raises the lockout limit to 15.

A little light at the end of the tunnel?

As of 01/13/2017 - 10.12.3 will be available to users "in the coming weeks" - Consumer Reports

This update will also address the 2016 macbook pro battery issues.

Hold your breath a little longer !

@hkabik could you provide your script on "AD Re-Bind" that you have in self service?

thank you in advance!

You could use the built in bind function of the JSS for the policy but I do use a script (altered to remove private info, if you're unfamiliar the first half of the script is providing the username and password of the bind account with encrypted strings):

#!/bin/sh

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
USERNAME=$(DecryptString $4 'numberstring' 'numberstring') 

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
PASS=$(DecryptString $5 'numberstring' 'numberstring') 

dsconfigad -f -add DOMAIN.COMPANY.local -username $USERNAME -password $PASS -computer $(scutil --get ComputerName) -mobile enable -mobileconfirm disable -useuncpath disable -protocol smb -groups "domain admins,enterprise admins,DOMAINCOMPANY IT Workstation Admins" -alldomains disable

dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"

10.12.3 Combo Update

@dgreening

Any link to the combo update?

I just confirmed that the AD account lockouts caused by putting the computer to sleep and waking up have stopped after installing 10.12.3. YAY!

I've become so jaded over this mess I'm skeptical! lol

but I'm glad Apple finally addressed this debacle...