[arekdreyer]

Have you seen this article?

[url]http://support.apple.com/kb/ts3346[/url]
Mac OS X v10.6: Successive Active Directory users receive “You are unable to log in to the user account (username) at this time” alert

Active Directory users may receive the message “You are unable to log in to the user account (username) at this time” when trying to log in. This can happen with successive Active Directory users who have home directories on different sharepoints of the same server. They can log in if the Mac OS X client is restarted.

Products Affected
Mac OS X 10.5, Mac OS X 10.6
Resolution
Edit the /etc/auto_master file of the affected Mac OS X client. Comment out the /Network/Servers entry as shown in the example below:

[code]# Automounter master map
#
+auto_master # Use directory service
/net -hosts -nobrowse,hidefromfinder,nosuid
/home auto_home -nobrowse,hidefromfinder
#/Network/Servers -fstab
/- -static [/code]

Save the file, then restart.

[arekdreyer]

What else is going on during login? Are you syncing files?

Your clients will use the Open Directory server that you specified when you bound to Open Directory. There is no automatic load-balancing between the master and replicas. However, of course, if the Open Directory server you bound to becomes unavailable, your client will use another Open Directory server. The client keeps a list of the appropriate servers.

[arekdreyer]

The procedure for using augmented user records to provide customized home folders is documented in a WWDC2009 session (which is not publicly available), but it is publicly available in the book Mac OS X Directory Services v10.6.

[arekdreyer]

If this is Mac OS X Server v10.6, there’s a really cool feature:

Server Admin > Web > Sites > Web Services >
Allow users to: change their password

This is pretty big.

[arekdreyer]

Pay attention to which tools you use to create objects.

Tim Perfitt’s paper and presentation do a great job explaining.

http://seminars.apple.com/seminarsonline/managing/apple/index.html?s=301

Be prepared for Workgroup Manager to give seemingly-random errors.

[arekdreyer]

Maybe this article will help: http://support.apple.com/kb/HT3795

Mac OS X Server v10.6: Configuring service principals in Active Directory when using a disjoint namespace

[arekdreyer]

In order to access /Network/Servers/our-server.com/Volumes/DATADRIVE/Home, you’ll have to set up network mounts. See http://www.peachpit.com/articles/article.aspx?p=1412022&seqNum=16

[arekdreyer]

[QUOTE][u]Quote by: beemerkid[/u][p]
We have been able to authenticate using OD bound and unbound but both need home folders. Is there a way to have no home holder and still authenticate?[/p][/QUOTE]

—
Here are two ways to have users from OD log in with LOCAL home folders (rather than network home folders). Note that an OD user must have SOME home folder defined in order to log in at the loginwindow on a bound client.

One way is to use managed preferences to force the creation of mobile accounts, and specify “Home folder location” as “on startup volume”
See the illustration on page 67 of the tandtleo14.3.pdf document (use google to find it).

Another way is to use Workgroup Manager to specify a local home folder for a network user account:

Select the user
Click the Home tab
Click the Add button (+)
In Full path, enter /Users/arekdreyer
Click OK
Now /Users will be listed in the Home tab
Select the other users, select /Users, and click Save.

[arekdreyer]

Have you considered not using Workgroup Manager to create the user; script that, or use different tools?

[arekdreyer]

In the book Mac OS X Directory Services v10.6, we walk you through extending augmented user records with home folder as an example. http://www.peachpit.com/store/product.aspx?isbn=0321635329

But – it is one thing to make an attribute available and populate it with information, and it is another task to get the OS or an application to care.

Are you referring to the Web Proxy, which you can set with the advanced pane of the Network system preferences, on a per-interface basis ? I don’t know if any browser other than Safai pays attention to the setting…

When you use Workgroup Manager’s managed preferences to assign a Web proxy, it updates the dsAttrTypeStandard:MCXSettings attribute; in my experience, managed preferences is not a good candidate for augmented user record extension, even though that’s was one of the first things that many people wanted to use it for when augmented user records first appeared.

[arekdreyer]

[QUOTE][u]Quote by: rikakiah[/u][p]Is there an easy way to make user groups use a specific desktop pic when logging in?[/p][/QUOTE]

Use google to find the document “tandtleo14.3.pdf”
Look at page 52.

[arekdreyer]

I think you’d be most interested in:
http://seminars.apple.com/seminarsonline/managing/apple/index.html

Look at:

http://www.apple.com/business/solutions/it/directory.html

There’s a link to:
Best Practices for Integrating Mac OS X into Active Directory
http://www.seminars.apple.com/seminarsonline/activedir/apple/index.html?s=203&locs=us_en

Click the “More Online Seminars”, then Enterprise, in order to get access to:

Directory Integration:
Best Practices for Integrating Mac OS X into Active Directory
Managing Mac OS X with Workgroup Manager and Active Directory
Modifying Active Directory Schema to Support Mac Computers

Here are some direct links, current now, but may become outdated…

Modifying Active Directory Schema to Support Mac Systems, a white paper providing information on how to create and apply schema modifications in Active Directory
http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf

Managing Mac OS X with Workgroup Manager and Active Directory using Extended Schema, a white paper with detailed information on how to manage Mac systems using Workgroup Manager
http://www.inspirednetworks.ca/site/wp-content/uploads/2009/08/Managing_Users_and_Policies.pdf

Best Practices: Integrating Mac OS X with Active Directory, a high-level white paper designed to help system administrators integrate the Mac into an existing Active Directory infrastructurehttp://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf

[arekdreyer]

Thanks so much for circling back and following up with your solution!

[arekdreyer]

OmniBlade that makes more sense.

What are your settings for the Active Directory connector (plug-in)?

[arekdreyer]

Remember that you can apply management at the user, computer, and workgroup level. So if an AD user isn’t a member of a workgroup, they are certainly logging in to a computer, so manage at that level.

Consider setting up a Guest computer record, and applying your managed preferences there.

The Guest computer record applies to computers that are not part of a computer list or computer group; if you have computer lists or groups defined, then apply managed preferences at that level.

One of the preferences at the computer level is to allow only members of certain workgroups to log in, which would disallow the AD users (that aren’t part of an OD workgroup) from logging in.

[Author]

Posts