Lion and Active Directory Tips and Reports

Working with Mac OS X 10.7 and Microsoft Active Directory

Updated May 31, 2012
On This Page:

- Tips and Reports:

If you’re using Leopard about any problems or tips.

72 Hour Apple Black Friday Sale

Lion Server For Dummies

Lion Server for Dummies by John RizzoSteve Jobs by Walter Isaacson
Now available!

Steve Jobs by Walter Isaacson

Check Amazon's pricing on:

Windows 7,Follow MacWindows_com on Twitter
Windows XP for your Mac, for running with Boot Camp, Parallels or VMware

Amazon's Apple products page

MacDrive 8
Access your Mac OS X partition from
Boot Camp

Lion Server for Dummies
How to Support Mac and Windows clients on a Mac server, connect your Macs to Active Directory

Follow MacWindows_com on Twitter

Follow MacWindows_com on TwitterFollow us on twitter

Windows Servers and Macs
Tips and Reports

Windows on Mac

GoToMeeting - Online Meetings Made Easy

TIPS and Reports

Reader's Lion Macs have authentication problems with Active Directory

Monday, August 8, 2011

Greg Myers is having problems authenticating his Lion Macs to Active Directory:

I am in a school environment and we considering rolling out Lion prior to the start of school. Those plans are on hold right now due to authentication problems with Active Directory. Binding to the directory is not a problem except for an occasional failure to store the password error that requires a logout/login cycle to eliminate. But on the half-dozen test machines login with network credentials has ranged from no problem to impossible. For two, a MacBook Pro of 2009 vintage and a 2010 MacBook, work fine after a login where the domain was appended to the end of the username for a single login, but that trick has not worked on others. Another, a 2009 iMac, will not authenticate no matter what is tried. All machines indicate they are properly bound, green dot in the directory list, and indicate network accounts are available at the login screen. At this point I think we will stick with Snow Leopard unless I find a reliable fix by Monday.

If you're having problems with Lion and Active Directory

TIP: Workaround for Lion authentication problems with AD

Tuesday, August 9, 2011

Two readers responded to yesterday's report of Active Directory authentication problems with Lion. Kris Hagel shared this workaround:

I saw the posting you had today regarding Lion authentication with Active Directory. I have also been experiencing the same issues on Lion as well. I wanted to share what I had run into in my research. It appears in our organization at least that if you let Directory Utility go out and find any domain controller to bind, it will do that just fine, but when you come back and wish to login you then run into problems.

Our temporary work around for now was specifying a specific domain controller in the preferred DC settings in the binding screens, then the authentication has worked on all computers from that point forward. May be of some help to someone.

If you've tried this .

Greg Myers updated his previous report to note that he has turned to a third-party product:

I've begun a transition to using Centrify Express and it is working very reliably.

TIP: Another suggestion for Lion and Active Directory, and more problems

Thursday, August 11, 2011

Several more readers reported problems with Lion authenticating to Active Directory. Hugh Burt has a workaround:

We also experienced problems and this is what we have found. It is important that you bind the machine using the same computer name set in the Sharing system preference. Secondly, the "default" search path used after binding doesn't work. We had to change the paths using the search policy with the Open Directory utility. For example, after binding to our staff domain :- The default path - Active Directory/Staff doesn't allow logons Adding one of the custom ones - Active Directory/ Staff/forest also didn't work But adding Active Directory/Staff/staff.forest does allow logons.

For the student domain, we had to use the custom one :- Active Directory/student/student.forest

If you've tried this approach . Stefen Kaur finds that client settings don't stick:

I can bind just fine, and the System Preferences user screen shows check mark next to "Network users can login to this system." Upon log out, the option is there to login. Upon reboot, going back to System Preferences and users they setting no longer is there to allow network users to login to system. As if the setting is not saved.

If you've seen this problem .

Geordie Korper is another reader reporting Lion/Active Directory success using Centrify Express:

I have to second that in my testing Centrify Express has worked much more reliably in Lion than the built-in AD client has. Although in the interests of full disclosure I have worked with the Centrify folks quite a bit over the years and might be considered somewhat biased.

Reader problems setting Active Directory mobile accounts on Lion

Thursday, August 11, 2011

Jason Bush is has some complaints about configuring mobile Active Directory Accounts on Lion clients:

Setting up mobile accounts [on Lion clients] is a pain and confusing as what to check. I mean mobile accounts based in Active Directory and cached to the local drive. It's confusing as to what works to force those accounts down. The Directory Utility (DU) acts strange. By that I mean you have to delete all domains from your search path then add back the one you want.

If you've seen this issue

Bush goes on to give his thoughts about Lion Server:

I have tested Lion Server. It's crap for the most part. I would really like to use the Profile Manager and just keep 10.6 Server. I deploy our RADIUS settings via mobileconfig file for small but growing 10.7 users. Deployment is a joke at this point if you want to use FV2. JAMF is working on some features, but right now it's kind of a hack job to get this working well. I'm really hoping they can roll the FDE into some kind of MCX or profile. Sorry to rant, but many of these changes were just unnecessary or not thought through.

Reader says mobile accounts on Lion don't work

Monday, August 15, 2011

Michael McCully responded to Thursday's report of problems with creating mobile accounts. He's seeing error messages:

I've got big problems creating mobile profiles with Lion clients. All the settings stick when set but when a newly networked user logs in there's an error stating the home location has been moved and can't be located. Essentially the user is able to login but the mobile (home) isn't created in the users folder. So far I've got five Macs that are completely unusable because of this problem. I really hope there's a fix soon.

If you've seen this problem .

TIP: Workaround for Lion mobile account problem in AD

Thursday, August 18, 2011

Dan Lee sent in a workaround to "Reader says mobile accounts on Lion don't work," where a user is able to login but the mobile home isn't created in the users folder. Lee reports:

I have seen this issue in our environment as well (Active Directory 2008 R2) and while this might be specific to my network, I figured I'd share. If you use the Directory Editor found in Directory Utility to view the LDAP info from AD, for a given account, check the attribute "dsAttrTypeNative:userPrincipleName" and make the user's user ID and domain are set correctly. In the instances where the user ID and domain are not set correctly, I've experienced the same behavior that Michael has been seeing.

For example my company uses a different domain name for email than we use for logging on/accessing our domain. My email is; however, our actual domain name is When I experienced the issue I saw that the attribute "dsAttrTypeNative:userPrincipleName" was set to I changed it to, tried to log in, and voila, problem went away.

If you've tried this approach .

TIP: Another "fix" for mobile accounts in Lion

Monday, August 22, 2011

Michael McCully sent another workaround for Mac OS X 10.7 problems with mobile accounts in Active Directory:

In response to Dan Lee's workaround for mobile accounts in Lion, I didn't find the same inconsistency that Dan Lee did in his workaround. But I was able to "fix" the Mobile Account issue in Lion -for now:

  1. - In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
  2. - Log out then back in as a networked user, -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
  3. - Open Terminal and type:

cd /System/Library/CoreServices/
./createmobileaccount -n username

The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account. This fixes Active Directory for the time being.

Now its on to Open Directory, which refuses to stay bound after a reboot.

If you've tried this fix (or have this Open Directory problem) .

Reader says 10.7.2 fixes Lion problem JAMF, AD

Thursday, October 13, 2011

Jason Bush reports that the Lion 10.7.2 update fixed a Lion bug with Active Directory and JAMF Casper:

10.7.1 didn't do the trick for us, but the 10.7.2 does with no adjustment to existing JAMF bind settings.

If you've seen this .

TIP: Fix for Lion 10.7.2, mobile AD accounts -- remove WINS

Monday, November 14, 2011

Nick Vasilopoulos sent us a fix for problems with mobile Active Directory accounts for Lion clients. He had tried a number of fixes we've reported, including last week's Apple IPv6 fix, to no avail. Finally, what worked was "ditching WINS" and binding in a particular manner:

Thanks for the great site. I've been battling this issue for quite some time now, sometimes it works, and sometimes it does not. But reading one of your users posts (it didn't work) led me onto a solution that worked for me......Read entire story here

Reader says removing WINS didn't fix Lion AD after all

Friday, November 18, 2011

Nick Vasilopoulos reported back that his success with the suggestion he shared for fixing Lion 10.7.2 Active Directory problems was short-lived:

I'm eating my hat as I write this. It seems that my fix was short lived. I'm having the same issue as everyone else now, sometimes not even being able to login locally to the mac with the mobile account while offline. I've tried all manner of fixes and even gave Apple a call. All for nothing.

TIP: Workaround for Lion binding problem with Active Directory

Monday, August 15, 2011

Laura Russo shared a workaround for Lion problems binding to Active Directory:

I had issues binding to Active Directory on Lion as well, on a whim I bound directly to a domain controller (rather than the domain itself) through System Preferences, rather than Directory Utility and so far the bind has held. Obviously this is not an ideal solution but may be a workaround for the time being for some people.

If you've tried this approach .

Reader reports kerberized AD login fails in Lion

Monday, August 22, 2011

Mark Napier reports a Mac OS X 10.7 problem with kerberized login to Active Directory:

What I'm seeing here is that our Lion test machine can get info from our Open LDAP server -- command line ID works as expected, for example. Command line kinit against our Active Directory kerberos works as well. But kerberized logins fail. Logs suggest it thinks user is typing a bad password.

If you've seen this problem .

Lion "unable to connect to server" error for AD

Tuesday, August 30, 2011

Carlos Osorio gets an error message when he tries to connect his Lion Mac to Active Directory:

I just installed Lion and am not table to connect to the Windows Active Directory. I am using the Directory Utility to bind to the AD and after much time I receive and error that states Unable to Connect to Server.

If you've seen this problem .

Note that that two weeks ago, another reader reported that using System Preferences instead of Directory Utility got around his problems.

TIP: Workaround for Lion connection error in Acitve Directory

Friday, September 2, 2011

Peter Goldberg sent us his workaround for connection errors with Lion and Active Directory:

I have been working on the problem of joining a MacBook Pro 10.7.1 for the last week. I had similar problems as stated on the web site dated August 30, 2011, "unable to connect to server" error for AD

I finally solved the problem by creating a new user account on the MacBook that had the same logon name and password that I originally set up within Active Directory on the Domain Controller.

I set up user johnsmith within the Active Directory and provided a password of smith1. I then went to the MacBook Pro and set up a new user account called johnsmith with the same password of smith1. I then attempted to join the MacBook to the Domain and I was successful.

Now the only problem I have is when I logon to the network using the MacBook Pro, I don't see the "home folder" that I set up for the user within Active Directory. Specifically, I set up a Home Folder on the Profile tab for the new user. It specifies that it should connect as the H Drive to the share \\server\users$\johnsmith <file:///\\server\users$\johnsmith> . Unfortunately, I don't see this share on the Macbook when I logon. If you have any information about this, that would be wonderful.

If you've tried this .

TIP: Sync Mac time with AD to fix connection problems

Tuesday, September 6, 2011

Takayuki Matsumoto in Australia responded to last week's report "Lion 'Unable to connect to server' error for AD" with this suggestion:

Check whether or not the time on Lion is sync'ed with the Active Directory domain.

If you've tried this .

Reader says time syncing not the issue behind Lion AD sync problems

Thursday, September 22, 2011

Daniel Murray reports that syncing Mac OS X 10.7's time with an Active Directory server did not solve problems. Neither did any of our other tips:

Tried the time syncing tip. No Joy. I've also gone through all of the suggestions at MacWindows. Using a spanking new MacBook Air. This simply should not be this hard.

Have a problem or workaround for Active Directory problems with Lion?

TIP: Another workaround for Lion "unable to connect to server" error

Monday, September 12, 2011

An anonymous reader shared another fix for the "unable to connect to server" error for Lion in Active Directory:

I had a similar problem with Lion the first time I tried to connect to AD natively. What worked for me was to configure the AD plug-in in DS and UNCHECK the box labeled "Allow authentication from any domain in this forest". Then I specified the FQDN of the AD domain controller by name that I normally authenticate against, then bound the machine. Immediately after that completes successfully, use the DS tool to add the specific AD domain in your forest where your users are defined. For example, you may see "Active Directory/forest_name", "Active Directory/forest_name/" and "Active Directory/forest_name/". These are different domains in your AD forest. Specify the domains your users will be authenticating from making sure to not include domains not needed. Switch to Contacts view and do the same.

Of course, make sure the account you're using to bind has sufficient rights to join a computer to the particular OU. Also, it's a good practice to segregate Macs in their own OU. Make sure you specify the correct OU in reverse order, e.g., "OU=macs,OU=computers,DC=Contoso,DC=com". Also remember to add any non default administrative domain groups that can manage the macs BEFORE you bind. The MS defaults are "enterprise administrators" and "domain administrators". We have a Mac admin group that we add before we bind as well.

If you've tried this approach .

Tip: Another take on "dseditgroup" fix for AD loss of admin rights

Monday, September 12, 2011

A reader shared a fix for the Active Directory problem of Mac mobile accounts on losing administrator rights and reverting to standard user privileges. His fix is similar to one posted in April for Snow Leopard. This reader (who wishes to remain anonymous) sees the problem with Lion:

Managed admins are just users when logging on offline - After joining 10.7 to my 2003 AD, SysPref/Accounts showed my ID as "Admin, Network, Managed". But if I logged on from home (no DC authentication), I lost admin rights. The following command fixed the problem:

dseditgroup -o edit -n . -u current_local_admin -p -a $USER admin

This command asked for the password of "current_local_admin" and then added $USER to the local admin group for offline authentication. Also, using" dseditgroup -o read admin" lets me confirm the current group membership.

If you've tried this approach in Lion or Snow Leopard .

TIP: A "search order and permission" workaround for Lion AD binding bug

Monday, September 12, 2011

Aaron Gilfillan send in another workaround to Lion problems with Active Directory binding:

AD binding in Lion 10.7.0 and 10.7.1 is broken. It's a search order and permissions issue. The only "fix" I found was this:

  1. Unbind machine
  2. Rename machine
  3. Reboot
  4. Login as local user
  5. In Directory Utility, go to Services
  6. Enter active directory name
  7. Check create mobile and require confirm (optional)
  8. Check prefer this domain controller, enter full primary domain controller
  9. Check allow auth for any domain in forrest
  10. Enter AD name
  11. Bind
  12. Logout (network login will be unavailable)
  13. Login local admin
  14. Go to Search Policy
  15. Make for custom path - click + add /active directory/domain
  16. Move /active directory/domain up above /active directory/domain/all domains
  17. Click + then cancel out of that
  18. It will now be able to login to network --- but don't reboot.

Here is the thread at Apple Discussions.

If you've tried this workaround .

Reader says OS X Lion ignores AD computer lists

Tuesday, September 13, 2011

Andre posted a problem in our Forums in which Mac OS X 10.7 Lion seems to ignore Active Directory computer lists, a problem that older versions don't have:

In my lab I bound some Mac clients to a schema-extended Windows Server 2008 R2 based Active Directory.

The 10.6.8 clients can be managed using computer lists, while the 10.7.1 machines ignore these settings. I had a look at /etc/openldap/schema/apple.schema on both Mac OS X 10.6.x and 10.7.x machines, and the entries for computer lists haven't changed with 10.7.

Settings for computer accounts, though, will be applied on both 10.6 and 10.7.

If you've seen this problem please post a response in our forum.

Reader says Mac OS X 10.7.2 fixes Lion Active Directory issues

Thursday, October 13, 2011

Jesse Patterson wrote of yesterday's Mac OS X 10.7.2 update:

The fix for Lion AD issues is 10.7.2. Nothing else -- not adding search paths for directories etc.

If the update fixed Active Directory issues for you . And please mention which specific Active Directory problem you're working with.

Lion in AD works for reader with 10.7.2 update

Monday, October 31, 2011

John Klimeck explains the circumstances under which the Mac OS X 10.7.2 Lion update fixed Active Directory problems:

Active Directory is working for us, binding and login (creating user profile) and caching credentials.

  • Lion 10.7.2
  • Active Directory 2003
  • Kerberos, are you being issued a Kerberos ticket (Ticket Viewer)
  • Infoblox DHCP, DNS and NTP
  • Brand new Foundry / Brocade Gig E Core network
  • Have users pre-created the object in ADUC, OU=nameofouwheremacobjectssare, dc=x, dc=x, dc=x

I believe this has something to do with the organization's network architecture.

If you've you've seen something similar .

TIP: DNS workaround for slow AD binding with Lion and 10.6.8 in .local domains

Friday, October 21, 2011

An Apple tech support article describes a workaround for slow Mac binding to Active Directory. The article, called "Login and directory binding delays on systems joined to an Active Directory domain ending in .local," describes a problem with Mac OS X 10.7.x Lion and with Mac OS X 10.6.8 (the last Snow Leopard build). The workaround is to adding some IPv6 records to the domain name service (DNS) server:

This behavior can be mitigated by creating forward (AAAA) and reverse (PTR) IPv6 records on each DNS nameserver for all Active Directory domain controllers. An IPv6 reverse zone will need to be created to hold the PTR records.

The article provides links to Microsoft's tech support on how to create these records in Windows 2008 DNS servers. The Apple article also says this about IPv6:

Self-selected unique-local IPv6 addresses may be employed if an IPv6 address space has not been established. The IETF has designed the FD00::/8 address space for this purpose. Addresses in this space are not globally routable and are suitable for internal networks.

If you've tried this workaround . (A reader adds more to this directly below, and another has similar workaround is in a post below that.)

TIP: Reader verifies IPv6 DNS fix for slow AD binding, with suggestion

Thursday, May 31, 2012

Wolf-Dieter Seeau in Austria verified the tip "DNS workaround for slow AD binding with Lion and 10.6.8 in .local domains." He also ran into a problem with the fix and passed along a suggestion. His report:

Many thank for your great website! After long searching I found the article on your website. The problem with the long login times occurred in our environment after the update to 10.6.8. In many user groups I've found the problem. But the hint on your site was the solution.

It's not so easy to implement IPv6 in an enterprise environment. But it seems that this is the only working solution. At first we tried to register the self-generated link local IPv6 addresses from the Domain Controllers on our DNS Servers. The problem on the Macs was solved. But after 5 minutes the AAAA DNS entries were cleared away automatically and the problems with the delay by logging in appeared again. After long troubleshooting we found the problem. You cannot register self-generated link local addresses on a Microsoft DNS server. We are forced to use unique local addresses. Now everything is working fine.

If you've tried this please

TIP: Fix for slow Lion access to SMB home directory in .local domain

Monday, October 31, 2011

Bobby Stewart forwarded a fix from Centrify regarding Lion in Active Directory networks. Specifically, it addresses a problem with Mac OS X 10.7 Lion connecting to server-based, SMB home directories, where it takes the Lion Mac a long time to log in. Not too long ago we reported an Apple fix for slow Active Directory access in .local domains, which provides for a similar solution. (See "TIP: DNS workaround for slow AD binding with Lion and 10.6.8.") The Centrify article describes the cause at this:

The problem exists on Mac OS 10.7, because 10.7 always uses Bonjour first to resolve any .local hostname. If Bonjour fails (timeout), it will then use standard DNS, thus causing the delay.

For Mac, the .local domain is reserved for Bonjour, and the Mac will only lookup these hostname using Bonjour (multicast). On Mac OS 10.7, a hostname that contains only one level under .local (i.e. xxx.local) is resolved using multicast......Read entire story here

TIP: DNS issue slows Lion access to .local domain

Monday, April 2, 2012

Lee Lepkowski commented on the tip "Fix for slow Lion access to SMB home directory in .local domain," and described how he solved the problem: Hello and thank you for the article! I was pulling my hair out trying to resolve the slow server connection in Finder after upgrading my MacBook to Lion. Your description of why the problem occurs helped me figure out my issue.......Read entire story here

TIP: Apple offers IPv6 fix for Lion AD problems in .local domains

Friday, November 11, 2011

Ben Cooper followed up his previous report, "Reader says magic triangle AD connection lost after rebooting Lion Server," with some advice from Apple, which suggests adding IPv6 records to the DNS server:

After calling Apple's support, they referred me to this in regard to Active Directory binding: Login and directory binding delays on systems joined to an Active Directory domain ending in ".local".

I have not tried Apple's recommendation yet. I am a little hesitant to dive into IPv6 at this point.

This is the first time we can remember Apple suggesting using IPv6 to fix a problem. The Apple article that Cooper describes suggests as a fix:

This behavior can be mitigated by creating forward (AAAA) and reverse (PTR) IPv6 records on each DNS nameserver for all Active Directory domain controllers. An IPv6 reverse zone will need to be created to hold the PTR records.

The article then links to several Microsoft articles on how to do this. If you've tried this approach

Feedback on Apple's IPv6 fix for Lion AD problems in .local domains

Monday, November 14, 2011

Kyle Torkelson commented on Friday's report of Apple's suggestion to use IPv6 DNS records on the Windows server to fix Lion Active Directory problems in .local domains:

Even with Apple pointing everyone to add the IPv6 info to their DNS/AD, it shouldn't be a server-side fix. Mac OS X 10.6 didn't do this. Everyone needs to push back at Apple as this should be a client fix, not a server issue.

If you've tried this approach

TIP: Fix for "impossible" Lion access to AD in .local domain

Friday, November 11, 2011

Guillaume Gete tried a tip we posted to try to get Lion to bind to Active Directory, but failed. Then he made a change that solved the issue:

I struggled these days to bind Macs with Lion client 10.7.2 to a Windows Server 2003 Active Directory. Authentication was almost impossible, networking was slow as hell, and it was impossible to login using an AD account, even when using local home directory.

I tried to apply the solution from Centrify you published here. However, it was impossible to bind to the Active Directory domain (domain controller could not be found). Then I asked the Windows admin to remove the "local" domain he added a few minutes before. And, TA-DAAAAAAA! I can bind the computer to AD, access the network, login as an AD user, and I even get Kerberos tickets. Life seems much better.

Of course, I can then not ping the domain itself, but not a big deal I think in this case.

If you've tried this approach

TIP: Fix Lion 10.7.2 and .local AD domain by disabling DNS multicast

Monday, November 14, 2011

Louie Campagna found a way to fix Lion 10.7.2 problems with .local Active Directory domains by tweaking an Apple solution for Snow Leopard. It involves turning of disable multicast advertisements from mDNSResponder. (Last year, we posted another, different Snow Leopard solution involving multicast. Note also, that we've previously reported a workaround involving multicast from Centrify for slow Lion SMB access in Active Directory in .local domains.) Here's what Campagna did to solve the problem......Read entire story here

Confirmation of disabling DNS multicast to fix Lion/AD in .local domain

Friday, November 18, 2011

Lawrence Fung had luck with the procedure described in "TIP: Fix Lion 10.7.2 and .local AD domain by disabling DNS multicast":

The TIP that Louie Campagna provided works for our school. We have the so-called Magic Triangle with the .local domain. We used to have 10.6.7 working with the mdns_timeout value increased from 2 to 5 seconds as Apple suggested. After upgraded to 10.6.8, we started having problem logging in. It took more than 3 minutes to log into the computer. When I was working on the computer, anything required password such as network folder access or software update took about 2 minutes to get through. So now after trying Louie's tips, all these are gone and the login takes less than 20 seconds.

If you've tried this

Reader confirms that disabling multicast fixes Lion AD issue

Tuesday, January 24, 2012

Keith Adams confirmed at tip that suggests you can fix Lion problems with .local Active Directory domains by disabling DNS multicast:

Our issue was resolved by disabling MultiDNS broadcast. This tip worked like a champ for us! I had been struggling with the issue since 10.7 came out. Now this fix has resolved the issue of not being able to login as network users on 10.7 machines. We could always bind but not use network accounts. THANKS!!! We were running 10.7.2 on workstations and WS 2008 r2 on the DC. One odd thing was that when I did an upgrade install from snow leopard to Lion when it first came out everything worked fine for existing network accounts but new accounts could not be added.

If you've tried this

Related: Lion and File Sharing Tips and Reports

Reader says Lion 10.7.2 didn't fix Active Directory issue

Friday, October 21, 2011

Although the recent Mac OS X 10.7.2 update was supposed to fix Active Directory issues, Glen Moon reports otherwise:

The Lion 10.7.2 update did not fix a "network unavailable" Active Directory issue for our team.

(Previously, a reader shared a workaround for a Lion Active Directory problem that showed that network login is unavailable.)

Please whether or not the 10.7.2 update fix your Active Directory problems.

Lion Active Directory problems persist after 10.7.2 update

Monday, October 24, 2011

Kyle Torkelson is another reader seeing Active Directory problems with Lion after updating to version 10.7.2, despite Apple's statements that Active Directory integration was improved in this build:

I can confirm as well for our organization that 10.7.2 did not fix our AD logins. I can bind and I get the green dot telling me the server is available but once we logout, we get either a red "network users not available" or amber "some network accounts are available" on the login screen. I've tried the suggested workaround but none have worked, even tried not rebooting but still no luck.

Either way, we still cannot login using AD users/passwords with a domain running Windows Server 2008 R2 and the schema raised to Windows Server 2008 R2.

If you're using Lion 10.7.2 and Active Directory whether the update helps.

More reports 10.7.2 not fixing Active Directory issues; "Network accounts unavailable"

Monday, October 31, 2011

We have a couple of more reports from readers who still can't get Active Directory binding to work, even with the Lion 10.7.2 update. Eric Zane reports:

It did not fix our issue either. A Snow Leopard machine with the same user credentials and AD Win 2008 server works, but that same user's credentials on 10.7.2 Lion new computer does not allow logins to complete so shares cannot be added.

Rajiv Lakhani in London gets an error "network accounts unavailable":

We are experiencing the same issue, after updating to 10.7.2. from a fresh install of Lion, it will bind, eventually. It will let a user login once, but after a reboot the network accounts are unavailable.

Sometimes it says Sorry cannot login user X at this time. Even when it does work the delay to login is so great (at least 5 minutes) that its pretty much a no go anyway. We are also having binding issues to Lion Server and Snow Leopard Server and Lion Server.

Reader says Lion 10.7.2 update to Lion broke AD connectivity - network accounts unavailable

Monday, November 7, 2011

Before updating her organization's Macs to Lion Amy Theisen had no problem with Macs connecting to Active Directory. With Mac OS X 10.7.0, minor problems began to appear. But after updating to Lion 10.7.2, Active Directory connectivity is gone:

Actually, we were fairly successful at integrating our Mac's until 10.7.2. Up until 10.7 things were fine. Machine's joined AD easily. Then with 10.7 we immediately started seeing issues with intermittent network unavailability at the login screen (network accounts unavailable -- red dot). It would sometimes take a few tries to get the machine (that was already joined to the domain) to create the Mobile account. With fresh installs of 10.7.2 we have been unable to get the machine to log in to the domain or create a Mobile, Managed account, at all. Sometimes a machine that had joined the domain would later show that domain as unavailable for an unknown reason.

My personal workstation was joined to the domain prior to its upgrade to 10.7 and then 10.7.2 so it still works, as my account was already there.

Currently we have given up on AD integration. We predominantly have laptop users who travel frequently and cannot tolerate inconsistent machine log ins. (Some people can't even log in to their machine).

We have looked at the logs on the Mac and in AD and so far have not found a smoking gun.

If you've seen these problems

TIP: Workaround for Lion in AD "network accounts unavailable" problem, Boot Camp complication

Thursday, December 15, 2011

Brent Hendricks send in a workaround in response to readers who've reported "Network accounts are unavailable" errors (here and here) with Lion and Active Directory. He notes that if you Windows installed with Boot Camp, the fix gets undone:

If you are having an issue with the "Network accounts are unavailable" message at the login screen, verify the DNS settings are correct, try restarting. The message appears to go away on subsequent reboots. This works until booting into Boot Camp, then you have to repeat the step above.

The workaround seems to be adding the domain controller to the host files.

I am not sure why this is an issue, and why after a simple reboot the problem goes away into booting into Boot Camp. Though if slamming it into the /etc/hosts fixes it, more then likely it is a bug in 10.7 DNS.

If you've tried this

TIP: Configuring settings for Lion and Active Directory

Monday, October 31, 2011

Gabor Hollai in Budapest sent us a step-by-step on how he got Lion 10.7.1 and 10.7.2 to work with Active Directory:

In Hungary we also had fought to OS X 10.7 and AD network users. One site is working fine with the network user login from 10.7.1. Another site we needed the 10.7.2 upgrade. See below how we do it both locations.

  1. Check the Name of computer in Sharing and in "System Preferences -> Network settings -> Advanced -> WINS" The Computer Name needs to be same.
  2. Add manually in "System preferences - Network settings - Advanced - DNS" the Search-Domain even if it's greyed out. Also check the first DNS server is Windows 2008 server.
    Remember: we needed to upgrade the primary DC to Windows 2008 r2, the secondary is still Windows 2000......Read entire story here

Tip: For Lion/AD, log in local account then Fast User Switching

Monday, October 31, 2011

Tom Auchter sent us another suggestion for getting around Lion problems with Active Directory:

The 10.7.2 update didn't fix Active Directory integration for us either (although perhaps it is slightly "improved"). The best workaround we have is to create a local account on each machine and have Fast User Switching enabled. When logging in using the AD account fails, we log in using the local account and then switch to the AD account. This seems to work most of the time. We sometimes have issues logging in again after the screen is locked, in which case we switch back to the local user and do the same steps. There are still other issues where connectivity to the domain seems to be lost occasionally, so hopefully the next patch will actually fix things.

If you've tried this approach .

For more suggestions, see Lion and Active Directory Tips and Reports.

Reader can't log in with local account with Lion 10.7.2

Wednesday, November 2, 2011

Unlike some readers, Al Pawlowski can log into an Active Directory account with Mac OS X 10.7.2, but he can no longer log into the Mac's local account without restarting:

I am seeing something like a reverse of what most others are reporting. After the last big Mac OS X update, early last week, I think I am losing the ability to logon with my local account.

What happens is that my Mac will (apparently) try to authenticate my local password via AD first, leading to the invalid password shake. My local account is the same short name as one of my AD accounts. On all earlier systems, I saw the opposite with the local authentication being done first so that I was OK if I never logged on to my Mac with the AD account.

I "fix" this by just restarting my Mac. At the logon prompt, it will (for awhile anyway) that network accounts are unavailable and I can logon, if I do not wait too long. My Mac is set to automatically (by power schedule) turn on about 1/2 hour before I get in to work and shut down over the weekend. The last two Mondays I have had to do the shutdown trick.

If the Mac is set to show a list of users in the logon screen, it will show a big string (left to right) of our whole AD account listing - I stopped scrolling and looking after about 50 so not sure if it really would include our 30K+ accounts.

If you've seen this problem .

Another reader can't log in with local account with Lion 10.7.2

Tuesday, December 27, 2011

Danny Caccavo confirmed a problem in our previous report "Reader can't log in with local account with Lion 10.7.2":

At least four times I've not been able to log in to my local account - there was no AD account with the same name, for what it's worth. I believe it's AD 2003. This is with Mac OS X 10.7.2.

If you've seen this problem

More on Lion's local account login issue with AD

Thursday, December 29, 2011

Leon Lincoln responded to Tuesday's report "Another reader can't log in with local account with Lion 10.7.2":

We have also experienced the issue of not being able to login with any account on a Lion 10.7.2 system. So far it has only happened on two systems, both which are bound to Active Directory. The only way to correct this issue has been to reformat the system and install the OS once again. As this is not a wide spread issue, we are keeping an eye on it as it concerns me why the authentication system can be fubarred.

If you've seen this problem (fubar or not)

Lion's local account login problem not tied to AD

Tuesday, January 3, 2012

Samuel Litt reported that the problem of not being able to log in using a local account to a Mac running Lion is not limited to Macs in Active Directory environments:

I've seen this issue manifest independently of systems bound to AD and OD. At login, user accounts will no longer be displayed in the list of users mode or recognized via name and password input mode. Interestingly enough, user accounts are displayed correctly within the Apple Password Reset Utility while launched via the Terminal (resetpassword) from the Recovery partition. However, a password reset provides no meaningful relief, nor does repairing permissions, resetting user directory ACLs, or repairing the volume via Mac OS X's Disk Utility application.

Reinstalling Mac OS X v10.7.x will resolve the issue without and erase consistently for at least one login. Then the issue will manifest annoying... yet again. Ultimately, a clean install on another partition, and a migration of the user account(s) via the Migration Utility resolved the issue for me, and from all appearances with permanence. From my observations Mac OS X looses perception/communication with its local Open Directory database -- referred to as a domain -- that stores information about local user accounts. I haven't found a consistent meaningful fix other than the aforementioned, although, I have stumbled across an article and discussion that appears to resonate synergizing content.

By the way, the root stuff mentioned at this Apple Discussion thread did not work for me.

If you've seen this issue

More on Lion 10.7.2 not letting user log in with local account

Tuesday, April 10, 2012

Another reader wrote to report not being able to login to Lion 10.7.2 with a local account:

We are having the same problem, can't login in the morning when the (local) user on Mac OS X has logged off in the afternoon.The network users (mac) still can logon.The network users windows can't login either.If you found a solution already, I would be very, very happy to hear it from you.

So far, no one using 10.7.3 has reported the problem to us, so it's possible the new version of Lion fixed it. If you've seen this issue, or believed the 10.7.3 update fixed it,

Reader says Lion 10.7.2 doesn't give option to logon to AD domain

Wednesday, November 2, 2011

Premjith is another reader who found that the Lion 10.7.2 did not fix problems logging into an Active Directory domain:

I have an issue with login using the AD credentials. I use Mac OS X Lion 10.7.2 on a MacBook Pro. Explained below what I have done:

  1. System Preferences - >Users & Groups -> Login options -> Network Account server.
  2. Join, entered server name, admin user and password.
  3. Open Directory Utility -> Active Directory
  4. Enter domain and computer ID
  5. Select Create Mobile Account at Login
  6. Restart the machine.

After restart the login does not prompt the AD user name and password. That is, it does not give the option to login to domain. However I am able to login to the local account and use.

If you've seen this problem .

Another report that Lion 10.7.2 doesn't give option to logon to Active Directory

Monday, December 5, 2011

Brian Wright responded to the report "Reader says Lion 10.7.2 doesn't give option to logon to AD domain:"

I am a systems administrator trying to incorporate our first Mac into an AD environment. I have the exact same issue as Premjith. The Mac is successfully added to the AD domain and I can verify that a computer account exists. However, I am not prompted for the AD username and password. I am only given the option for the local account that I first created or a guest account.

If you've seen this problem

TIP: How to log onto Active Directory with Lion 10.7.2

Thursday, December 15, 2011

Two readers responded to "Lion 10.7.2 doesn't give option to logon to AD domain" by describing how Mac OS X Lion does it differently than before. Jack Stoller offered this:

I had this problem, and discovered quite by accident that in Lion, under Users and Groups (formerly Accounts) > Login Items, there is now a check box: Allow network users to log in at login window. There is an Options button associated with this that lets you limit which network users can log in. If this box is not checked, the OTHER icon will not appear, or if you have the login screen set to require both name and password, network accounts will not be accepted. I hope this solves a problem for some other posters.

Brent Hendricks had a similar note:

In response to Brian Wright, on the two Macs that I have installed OS X Lion on, and added to my AD Domain, you must make sure the ALLOW Network Users to login at login window is selected. I also use the Display login window as: Name and Password., and not list of users.

If this works for you

Reader says magic triangle AD connection lost after rebooting Lion Server

Monday, November 7, 2011

Ben Cooper is having problems using Mac OS X to integrate Macs into Active Directory using Lion Server in Apple's "Magic Triangle" configuration, in which the Mac server is bound to both Active Directory and to Mac clients using Open Directory. He reports:

I have run into some real issues with implementing the Magic Triangle. Binding to Active Directory and using it is not a problem, setting up Open Directory on its own is not a problem. However, when I get it configured it works until I reboot the Mac server, when, voila, the Mac server only intermittently can recognize AD. For the majority of the time it won't recognize AD. I have argued (in a nice manner) with Apple's Enterprise support that I believe there is a bug with their OS software. I have the latest updates, I have made sure that the clocks are in-sync with the Mac server and AD, DNS resolves correctly (Apple's support even confirmed this), etc. I have also seen on our site that other users are having the same problem.

If you've seen this problem

TIP: Workaround where Lion 10.7.2 can't log back into AD

Friday, November 18, 2011

Thomas Brown in Australia shared a workaround to a the problem where Lion can initially bind to Active Directory, but cannot login after having logged out:

We thought you might like to know that we are having the same problem as below, with 10.7.2 we get the green dot but as soon as we logout we get the red or amber circle. Our setup is a magic triangle with domain server as Windows 2008 r2, schema is only Windows 2003. I don't know what work arounds he tried so he might have done this one.

We "fixed" this problem by putting in an IP address of the closet domain controller in 'Prefer this domain server' instead of a hostname which works fine for 10.5 and 10.6 clients.

If you've tried this workaround

Not so fast -- Lion AD green dot/red dot problem only half fixed

Monday, November 21, 2011

Thomas Brown followed up his report from Friday about Lion and Active Directory to say that his fix turned out to be a half-fix, and offered some further help:

[The fix] did solve the problem with the green dot/red dot, but after further testing, it went to a green dot/yellow dot problem instead. We could logon with mobile accounts 50 percent of the time in less than a minute but the other 50 percent of the time it took much longer (always showed the yellow dot when this happened).

We eventually had to try something else instead by removing the '.../ALL Domains' entry in the search path and putting in our specific domain; this solution we found on another forum, and then the IP address did not matter any more under the preferred entry.

If you've seen this issue

TIP: Fix for Lion ignoring AD computer lists

Monday, November 28, 2011

A reader in our forums posted a fix for a problem with Mac clients bound to a schema-extended Windows-based Active Directory. While Snow Leopard clients can be managed using computer lists, Macs with Lion ignore these settings. The fix is this:

We have edited the Active Directory template, specifically removing the "Search Base" key and immediately our 10.7 machines are able to see/process computer lists without any issues.

Problem is each revision update restores the template. Thus, I had to create a daemon that checks for the existence of this key and if present, runs a script to fix it.

You can read the entire thread here. If you've tried this fix, please post a reply in the forum or .

Lion AD authentication issues with .local

Monday, December 5, 2011

Justin Kwasnik reported authentication problems with Lion clients on a multi-domain Active Directory network:

I have noticed a lot of issues containing auth issues when you have more then one domain in the forest. After fixing the search paths, it does help. Although if you're on a Windows domain that is using a .local it appears to have more timing out issues.

We have previously posted a workaround (TIP: Another workaround for Lion "unable to connect to server" error) that may address Kwasnik's issue.

If you've seen these kinds of problems

TIP: Apple workaround for Lion client, SL Server magic triangle config with SL Server

Thursday, December 15, 2011

Apple recently posted a tech note containing a workaround to a problem with Lion clients trying to bind to domain. Specifically, Lion can't bind to an Open Directory domain host on Snow Leopard Server (Mac OS X 10.6 Server) that is bound to Active Directory in the magic triangle configuration. Apple describes the problem:


A Mac OS X v10.7 Lion client may be unable to connect to a Mac OS X v10.6 Open Directory Server. This can happen if Lion uses Authenticated Binding to a Mac OS X v10.6 Open Directory Server that is also bound to Active Directory by means of a magic triangle.

Apple's fix is to use Terminal to run a pair of shell commands on the Snow Leopard Server Open Directory Master Server and Replicas. Apple says:

Note: These commands will turn off GSSAPI authentication for the LDAP Server on the Mac OS X v10.6 Open Directory Master Server and Replicas. The servers will then use CRAM-MD5 authentication.

sudo rm /usr/lib/sasl2/openldap/
sudo rm /usr/lib/sasl2/openldap/

Restart the server after making this change.

If you want to restore the original settings, execute these commands:

cd /usr/lib/sasl2/openldap
sudo ln -s ../
sudo ln -s ../

Restart the server after making this change.

If you've tried this workaround

Lion and Active Directory: is firmware a factor?

Friday, December 23, 2011

Chris Blackstone's Macs running Lion have problems with Active Directory. His Macs all are running the same image of Lion and the same Ethernet controller. The only difference was firmware. He postulates that perhaps a firmware update would provide a fix:

My company has been having problems with certain Lion machines connecting successfully to our Active Directory domain. The challenge for us was some machines would work, some wouldn't. The ones that did work were newer iMacs and MacBook Pros, the ones that didn't were older iMacs, all running the exact same system image. When I started investigating what could be causing the problems I noticed that, even though all the machines used the same Ethernet Controller, the newer machines had a newer firmware version. The Ethernet Controller is a Broadcom 5764-B0: The Older iMacs use 3.35 firmware; the newer Macs that work use 3.38. I wonder if the current problems with Lion and Active Directory could be remedied by a firmware upgrade for the older iMacs. It's an interesting angle that I hope Apple can investigate.

What do you think of this theory?

Lion 10.7.3 update focuses on Active Directory, file sharing bugs

Thursday, February 2, 2012

Apple released Mac OS X 10.7.3, an update that fixes a number of bugs that been plaguing MacWindows readers since Lion's release, including several Active Directory and file sharing problems. In fact, yesterday's update appears to be focused on these areas.

Apple says the update fixes Active Directory problems for .local domains, including slow Active Directory binding and other binding problems. Last November, Apple recommended using IPv6 records in a DNS server as a workaround. Other readers reported that turning off DNS multicast was an effective workaround......Read entire story here

Reader says Mac 10.7.3 fixes AD .local binding

Monday, February 6, 2012

A reader in our forums posted a note saying that the Mac OS X 10.7.3 update fixed problems binding to Active Directory in a .local domain:

I did give it a shot yesterday night in my test lab. At my great surprise, looks like it is fixed! Could bind the Mac in like 20 seconds. Reboot and try to log on the AD Domain. But it's not like on a Windows machine.

I still have to wait like 20-30 seconds before the red dot disappear. But it's much better than before.

If you've applied the 10.7.3 update

TIP: AD smart card login with Centrify and Lion 10.7.3

Monday, February 6, 2012

Centrify posted a workaround to an issue with last weeks Mac OS X 10.7.3 update and Centrify's smart card Active Directory support. Apple stripped smart card support out of Mac OS X with Lion. Centrify's DirectControl product included smart card login support, but with Lion, there was a problem with the OS prompting for the smart card PIN. With the Lion 10.7.3 update, the issue is partially resolved, but Centrify says there's a trick to getting it to work. You can read Centrify's article about it here.

Other MacWindows Departments

| Product Solutions | Reports and Tips | News Archives | Site Map |
MacWindows Home |

| Top of Page |

This site created and maintained by
Copyright 2012 John Rizzo. All rights reserved.