Mobile user can't log in

[NewSupportGuy]

Hi Guys,

I recently took on a job as a system admin at a medium size company. I am new to the job, and new to Macs as well so I was hoping you could provide some advice.

We are running a Windows 2008 domain with a mix of PC and Mac client machines. I recently set up a Mac Book air for a traveling sales associate. While the user was on-site I had him log into his account and in the domain preferences I checked off "create mobile account at login." My assumption (because it has worked in the past) was that when the user goes offsite his domain credentials will be cached on the machine and he will still be able to log in. Well the user is now back on the road, and already his domain creds are not working leaving him no way to log on or get access to his stuff. So 2 questions.

1) What could I have done wrong, and what must I do in the future to ensure that mobile users will be able to log in?

2) What can I do to fix this issue now that the user is on the road and I have no access to his computer?

Oh and this particular machine is on Mac OS Tiger.

Thanks.

 

[MacsWork]

There must be a local user on the Mac. Have the user login as the local user.

I'd also upgrade to at least Snow Leopard.

As for what to do now? Try logging in with local user and turn off WIFI and try to authenticate as the mobile user with no network connectivity.

What did you do wrong?

It's been so long since I've worked with Tiger I'm not sure what went wrong with your setup. Mobile user accounts should be able to cache credentials locally by nature. This confirmed in the OS X server manual when creating mobile users, however are there GPOs in place to not allow this?

 

[NewSupportGuy]

Whoops. Sorry I meant to say Lion (not Tiger), and the system is completely up to date. I have given the user access to a local account, but that will not give them access to their files or their email. Even if they are connected to Wi-Fi that will not help because they would need to be connected to the VPN in order to log in using their domain credentials.

I should also mention that the behavior seems very inconsistent. On all machines I have the option to "create mobile account on logon" checked. Sometimes it works successfully, sometimes I need to create the mobile account manually.

 

[NewSupportGuy]

Found a solution to my problem, and even wrote up a nice little document. For anyone else who encounters the same issue here is a solution:

How to Log In a Remote Domain User Without a Mobile Account
If you have a user working remotely from their MacBook who does not yet have a “mobile account” created on the machine it is still possible to have that user log in. This will require some sort of local/admin user account for the user to log in with as well as a VPN connection to the domain.
With the user logged in using a local admin account go to:

1) Apple menu > System preferences > Network.
2) Unlock the screen with the lock icon in order to make changes.
3) Select the VPN account and click “advanced.”
4) Uncheck the options for “disconnect when switching user accounts” and “disconnect when user logs out.”
5) Make sure “send all traffic over VPN connection” is selected.
6) Click OK and close system preferences.

Now connect the VPN using the user’s domain credentials. You can do this either through system preferences, or if the option was selected through the icon on the menu bar. Once the VPN is successfully connected, either log off, or go to the logon window by using the user menu located in the upper right hand side of the screen.

Now at the login window the VPN should remain connected. Have the user log in using their domain credentials. This may take longer than usual, but should be successful.

Now with the user logged in go to:
1) Apple menu > System preferences > Users & Groups.
2) Unlock the screen with the lock icon in order to make changes.
3) Next to mobile account click “create.”
4) At the following screen leave the defaults and click create.
5) Once more click “create” to confirm.


The user will now be able log on even when disconnected from the network or the VPN. As your last step you should re-check the options for “disconnect when switching user accounts” and “disconnect when user logs out” In network settings.
Note: An option in the active directory advanced settings does allow a mobile account to be created automatically upon logon, however this option does not always work, and so it should not be relied upon.