Active Directory Issues After Lion Upgrade

Discussion in 'Mac OS X Lion (10.7)' started by andrewbecks, Jul 20, 2011.

  1. andrewbecks macrumors member

    Oct 20, 2007
    Hello. I'm hoping someone here with a bit more experience than I have can assist.

    I upgraded to Lion this morning and everything seemed fine. When I attempted to login to my account (which is an Active Directory account) after the computer restarted, the Lion login screen had a little red dot that said "Network accounts are unavailable".

    Once I entered my username and password, and then attempted to login, I get a popup telling me that I need to reset my password:

    Reset Password
    You must enter a new password before you can
    log in to this account.

    After entering a new password and clicking the "Reset Password" button, the window shake sand nothing happens. I've tried many times to no avail.

    I was able to login to the machine with a local account. I then went into the System Preferences > Users & Groups > Login Options screen. There I saw that the Network Account Server had a GREEN dot next to it, indicating that everything was OK. However, after logging out and restarting my machine a few times, I still saw the red dot on the login screen and was unable to login. I've tried connecting via Wi-Fi and via Ethernet to no avail. I am connected to the domain with no issues.

    Can anyone offer me any assistance in terms of next steps? I'm at a loss here and don't know how to proceed.

  2. evilsurfincow macrumors newbie

    Jul 20, 2011
    I had the same problem with one of mine.. at home now so don't remember the exact fix.. but under active directory where you have the ... authentication and search paths... check and see if what you had before is there or not.. I had to re-add mine by clicking the + and then dragging it to the top of the list... now when I reboot, its only red for a few seconds and then goes to green.. Ill see if I can get more specifics for you tomorrow when I'm at work.
  3. evilsurfincow macrumors newbie

    Jul 20, 2011
    ah ok so edit your directory account under Users > Login options. Then Open Directory Utility > Then Search Policy. Click the + under authentication and contacts and see if you can add anything.

    This fixed mine which was a 10.6 to 10.7 upgrade.
  4. andrewbecks thread starter macrumors member

    Oct 20, 2007
    Thanks for the suggestion. I checked and everything seems to be fine. It's even showing up as green except on the home screen. I spoke with Apple and they said it's not an issue with Lion, despite the fact that this was working until I ran the Lion installer.

    If you do have any additional information tomorrow, I'd greatly appreciate it. Thanks again!
  5. radzima, Jul 20, 2011
    Last edited: Jul 20, 2011

    radzima macrumors newbie

    Jul 20, 2011
    I'm at home and having the same issues, I can get in through a local admin account but my domain account (mobile, admin) can't log in. I keep getting the "Reset Password" dialog. I VPNed in to the office so I can access the domain via the local account and tried to switch users from there, no go.

    If I'm at the login screen I get the reset password, if I try to switch users, it just outright fails. With a lot of users due to be getting this update tomorrow, if Apple doesn't have an answer or insists it's not the Lion upgrade, my users will be pissed when I pull it from production.

    I also noticed that even though Im at home, before I VPNed in, it showed network accounts _were_ available, definitely shouldn't have been.

    UPDATE: I disabled wireless and unplugged my cable... still shows network accounts available. I'm not even sure where to start on this one. Seems like a really deep OS flaw.
  6. collegetech macrumors newbie

    Dec 15, 2004
    We had the same problem here and found the fix today. After binding to the domain, when you go back to the directory utility you will notice the Apply button is greyed out. You need to click on the lock to lock the settings. Quit directory utility, and click on the lock for Users and Groups.
  7. radzima macrumors newbie

    Jul 20, 2011
    That wouldn't work for me since I was already bound to a domain not just trying to join.

    I spent the night figuring it out and piecing together other forum posts. It looks as though Lion destroys the permissions on the prefs used for AD auth.

    To fix this, I unbound from the domain, rebooted to the repair partition (command-r) and ran disk utility > repair permissions. Once that finished (there were a TON of fixed files), I logged back in as a local admin and rebound to the domain. From there everything was fine.

    Since this upgrade had worked so well on my other computer (personal, not bound to a domain) I checked the permissions on it and there were no issues. It looks as though the installer breaks permissions when it is bound to a domain.
  8. andrewbecks thread starter macrumors member

    Oct 20, 2007
    I couldn't agree more. I spoke to Apple and was escalated to a second-level support person. The support tech kept insisting that the issue was with the Active Directory server, suggesting that I delete my account from AD and recreate it.

    I tried explaining that he was incorrect and that the issue had to be with Lion--not with AD. I can access my AD account from Snow Leopard, from Windows, and even from other Lion machines in the office. Something happened during the upgrade on my machine.

    As a temporary solution -- certainly not ideal -- I ended up logging in as the root user, creating a new account, moving the home folder for the domain user to the new user's account, and chowning the home folder to the new user. I'm really hoping for a better solution, though, as a local user account is not ideal/preferred.
  9. jonritter macrumors newbie

    Jul 22, 2011
    - Install Lion
    - Log into your local admin account
    - Set the machine name to "XXX" and remember this name
    - Open Directory Utility
    - Open Active Directory
    - Set the Comuter ID to "XXX"
    - (Optional) Show Advanced Options, check "Create mobile account...", uncheck "Require confirmation..."
    - Click BInd
    - Enter in your admin domain credentials
    - Hit OK
    - Log the directory utility by clicking the lock in the lower right corner
    - Log out of the local admin profile
    - Log in as any domain user
  10. Mack Daddy macrumors newbie

    Jul 21, 2011
    Thanks this worked for me
  11. ajxville macrumors newbie

    Aug 3, 2011
    We've found that we still received the "network accounts unavailable" message until we added the local domain that the dc is in to the domain suffix box under system preferences/network. This has fixed the problem for us.
  12. AdvocateUK macrumors regular


    Jan 10, 2008
    Billingham, United Kingdom
    Is the "Active Directory Domain" the name of my server?

    eg server.local


  13. mfischer macrumors newbie

    Aug 3, 2011
    I've had the same problem with our test machine with Lion on it. We need to buy new stuff for the end of year but what is the point if network users can't use them and we can't use Snow Leopard.

    I called Applecare for fun, was ping ponged around a bit and got a "we'll look into it but we haven't heard about it", a ticket number, and a hangup.

    So if you're having this problem, call Apple. Seriously. They need more people to complain. 800-275-2273

    Amusingly, I was told by someone in the enterprise team to look at this thread for possible fixes. Nothing has worked. I'm really annoyed.
  14. KevinDouble macrumors newbie

    Jan 15, 2012
    Robust solution found here

    There are many forums and posts on this topic and I've been facing similar problems with joining Lion OS 7.2.1 on Mac Air and iMac to a new install of Small Business Server 2011 Active Directory domain.
    First of all you must check the clocks on your server and any connecting client - they must be close or matching or AD will reject any binding attempt. Some say less than 5 mins but in my experience less than a few seconds is best. I had trouble matching online time sync services between Mac and server so I manually entered them in the end (this maybe a future issue with daylight time savings changing some and not all - will need to check that I guess!)

    Once you are happy with that then I also set up the AAAA records etc on the server as specified in the much quoted site here (

    OK, I was then able to bind for the first time but it was not stable.

    Then I followed the advice listed in this well written and clear blog entry -

    this worked perfectly on the Mac Air and now seems to be great on the iMac.

    Good luck

Share This Page