'Your Account Is Locked' After Big Sur Update

klindas
New Contributor II

We recently started our Big Sur pilot program so I lifted the upgrade restriction for a handful of my users. One of my users, after performing the upgrade via Software Update, is facing an issue where his AD-joined account is saying "Your account is locked" when trying to log in. He has 3 other local accounts on the machine that he can log into, but no luck with his main account.

The laptop is (was) domain bound and the account is a mobile admin account. The other accounts are local admins, so that is a difference.

I've tried an SMC reset, force unbinding the laptop, creating a new (post-upgrade) local admin account (per another forum). After these steps, attempts to switch user or use the Login window appear to authenticate, but then revert to the previous screen (either the previous user's desktop, or the Login window). Eventually the "Your account is locked" message returns. I tried sending the Unlock command via the account management section of Jamf. That appeared to do nothing.

I've read in other forums that it may be related to a password policy enforced via InTune (which we use for machine compliance) or a config policy in Jamf (which I haven't utilized). Although that makes me think I would see it on more than just one of the 12 pilot users. The next step I was thinking would be to convert it from a Mobile account, but that may be much more of a hassle than I'm anticipating, so I thought I'd post here to see if anyone else has come across this. TIA.

12 REPLIES 12

VintageMacGuy
Contributor

We have been seeing a similar issue, but it appears in a few different ways.

In some cases I can unlock the users account in JAMF through the account management section like you tried.

Other times we have to have them sign in with the Bitlocker recovery key.

And other times it seems to resolve if you hold the power button down to shut down, then start up again normally and the old password seems to work.

We have InTune also.

Have not found a cause. We notice that it seems to happen in waves of a few machines at a time, then nothing for a while.

VintageMacGuy
Contributor

This was also happening in Catalina.

chase_g
New Contributor III

I have run into similar issues on Catalina with users on local accounts. I have not been able to completely narrow down what causes it to happen. But it does appear to be related to the password policy config profile deployed, because on several systems after removing that config profile shortly after they were able to login in again. It doesn’t make sense since the password policy is deployed to 200 systems but only 5 or 6 users have run into this issue. I am wondering if it’s related to software updates being installed that need reboots/shutdowns and on start up don’t auto login properly or something?

VintageMacGuy
Contributor

I tried looking into the "locked" aspect a bit and the only thing I can find that relates on the JAMF side is the password policy section that mentions locking the account after x number of failed password attempts. But it doesn't appear that all of the cases are due to bad password entries. I was trying to see if there is something that may be attempting to enter a bad or null password multiple times automatically (like the keychain might do), and then locking out the account, unknown to the user and without their interaction.

I tried looking through logs and did not find anything conclusive.

klindas
New Contributor II

If it's a password policy, it's proving difficult to track down. There isn't one in Jamf, so the only thing I can think is a possible policy being pushed from our InTune configuration, but I'm told no password policy is enforced there either. At this point, I'm wondering if renaming / retiring the profile and recreating it will work, but since it's linked to AD, I'm not sure how that will fly.

kevin_v
Contributor

Still an issue

Knoxx
New Contributor II

We are seeing this in our Organization. So far just two Macs (Knock,Knock)
One mac running 10.15.7
One just upgraded to 11.3.1
We do not have a password policy config profile that we deploy to our MacBooks

![optional image ALT text](
12b2e4991c5b49c7b04e8f864e0adf8e
)

danny_hanes
Contributor

I don't suppose there is some way to disable the lockout all together?

FlippinTwit
New Contributor

I ran also in this Problem today - easiest fix for me was to convert the mobile account into a local account. Just delete the mobile account (don't delete his home folder) - rename the home folder to "whateverYouLike" and then create a new account with the "whateverYouLike" name and it takes over the home folder. Mobile accounts are just bad - but in the other hand the new local account isnt mdm-enabled so it doesn't get any user profiles (also not good in our environment).

Jamftechelp
New Contributor II

Tried to turn off the secureToken for mobile account and turn on. Recently I faced that issue and got resolved after re-enabled the secureTokenOn for Mobile account on Mac running on BigSur.

sysadminctl interactive -secureTokenOff username -password -
sysadminctl interactive -secureTokenOn username -password -

andrewfaircloug
New Contributor

have had this issue also, the Fastest way to resolve this i have found is the below. Works every time. and no DATA lost.

Removed User account, But kept the Home Directory the same.

Logged in as the users Network account to create this as new Account on the machine.

created mobile account.

then changed the new accounts Directory to then point to the old one.

Binzinz
New Contributor

Hello All, 

Jamftechelp's solution is working great. But I have more and more Mac users in my company who come to me for this issue, each time they change their password via their Outlook Web Access platform. 

Do you know how to face this ?

We are coming to a MDM solution, but not yet in place.

thanks