Mobile User Home: Vanished

[scarrab666]

Hi,

First post here but am a little desperate/concerned, hence the post.

I recently implemented a password policy company wide on our Open Directory. Naturally its universally hated, but is for the greater good.

However, seemingly, some of our Mobile User Home users have had their account ‘Vanish’. The home folder (~/User) is still there but no accounts show up in the Accounts window!!?? Any tips here/how to I manually create/get working again.

BTW they can log into other computers with no issues (sans the machine with the home folder) just as ‘Network Home’ (with the last time they’d synced their account).

I’m stumped, I realise I could drag all the stuff back onto their network home from the home folder, wipe the machine and set them back up again but this seems a little drastic!

Any ideas?

[Macleod]

Your users have likely had their mobile accounts locked in the local domain, because of the new password policy.
When their accounts are locked out, the accounts disappear from System Preferences.
Checking for this is simple, you can either view the AuthenticationAuthority attribute in dscl (dscl . -read /Users/localcacheduser AuthenticationAuthority), or you can point Workgroup Manager at the local domain on the machine and see if the “access account” checkbox is unchecked.
WGM should be able to re-enable the account, or you can use the pwpolicy -enableuser command line tool to do so.
You could also delete the user’s cached credentials, and recreate the account manually, but that seems a waste given how easy it is to re-enable.

[scarrab666]

Hi Macleod,

Thanks for the reply, I checked to see if the account(s) was locked first and sadly they were not… I ended up re-creating the accounts which was a bit of a hassle but workable. Seems it could be a bug as it only happened to around 2% of the users when the password policy was applied.

Thanking you for the reply though!

[Macleod]

Scarrab, just to clarify, did you check the local directory (dslocal/nodes/Default), or OpenDirectory?
Locked in the local directory domain is not the same as locked in the OD domain.
The user’s accounts in the OD domain would be fine, and unlocked. Thats why they can login to other machines.
When a cached account is locked in the local domain, you get the exact circumstances you mentioned: user can still login elsewhere, account no longer shows in System Preferences, users’s home folder is untouched. That this happened after applying password policy makes it even more likely that you are dealing with a cached account lockout issue.
The only other thing that would make sense would be the user’s cached accounts expiring due to MCX. You can set an expiration for cached credentials via MCX, and if set, it would have similar circumstances, /except/ the user would still be able to login to the machine via OD.

–DH

[scarrab666]

Hi Again,

No I didn’t look here (the local directory)… How does one have a look at this local database (given its rare for me to have to use Terminal). I’m sure it’ll pop up again at some stage so it’d be great to have a step by step.

[Macleod]

The directions are in the first post, but I’ll expand them a bit here.
Use this from the command line:
dscl . -read /Users/cachedusername AuthenticationAuthority
Replace cachedusername with the name of the user account you suspect is locked.
If you see ;DisabledUser; in the output, the user account is locked in the local node.
You can also run Workgroup Manager on the machine in question and point it to the local node. Dismiss the login dialog when launching WGM, choose View Directories from the Server drop down, and then change the “Viewing” drop down menu to point to the local node.
Locked users show with a red X over their user icon, and have the “access account” checkbox unchecked.

[scarrab666]

Right, I’ve got a chance to try this… I’ve gotten so far as to looking at the local node and you are right I can see a locked local user… However it won’t let me unlock it 🙁 Any ideas?

PS sorry for the late reply, this really is helpful to me to know how to fix, and we’re half way there!

PPS [url]https://ftp.lexispr.com/_kn4RbKt-tnn_JR[/url] (I’ve unlocked the lock too!)

[Macleod]

I suggest you read the man page for pwpolicy, or goole around pwpolicy -enableuser.
The exact syntax can be tricky.

[Author]

Posts