I'm working on upgrading some MBAs and I have a policy that creates a new standard user which the students can use. I have the Macs joined to an AD and I thought just to test I should try to login as the student account. It fails. I know it's not the password since I reset it. Weird thing is, is that if I make the account an administrator then it allows me to login?!?! I then remove the admin rights and reboot and it goes back to failing. Any ideas?
Solved! Go to Solution.
Hey dlondon, thanks for replying!
Here is what I've done so far:
I removed the account and then ran the policy again on the computer (after first changing the password in the policy) to create it again.
If I create another standard user (I created one with the name TEST) it also fails to login
I booted to recovery mode and used the change password terminal command and changed it there. I also ran First Aid on the Drive and Volumes
I rest the PRAM and SMC (No T2 chip, 2015 MacBook Air)
The computers are joined to a domain, I have a student test account in the AD which works, I can login using it.
I have a local admin account also setup though Jamf and it works.
There are no Mobile Accounts.
I'll try your suggestion next and let you know how it goes.
The local standard account for the students is called Student1
I ran the terminal command: id student1 and it came back with: no such user. I ran the same command on my AD student test account and it comes back with a bunch of information.
I couldn't believe that it came back with no such user so I opened Users & Groups in sys prefs and the account is definitely there.
I'm using 10.15.7 with security update 2021-004 if that helps.
You might check out this great little app that I use for tricky tasks like creating mac accounts. It successfully creates non-domain local users (admin or standard), gives you advanced settings on them, and works well. You can then just push out the user as an install package:
Make sure you're using an available User ID (UID). You can show the existing visible local ones (not AD) with this:
dscacheutil -q user | grep -A 3 -B 2 -e uid:\ 5'[0-9][0-9]'
You could lower the UID number if you need to look at the built-ins, and UIDs below 500. First admin accounts usually start with 501.