I can't access domain account

[SAFIYE]

Hola, tengo una Macbook M2 inscrita en Intune y con una cuenta de dominio agregada, pero ahora tengo que iniciar sesión en la cuenta de administrador local y luego cerrar sesión para poder acceder a la cuenta de dominio nuevamente. Revisé la cuenta del dominio, eliminé registros de la computadora en Intune, revisé la cuenta en la computadora y nada... ¿alguna idea de lo que podría estar pasando?

Menos

 

[Apple_Robert]

Translation for English readers: Hello, I have a Macbook M2 enrolled in Intune and with an added domain account, but now I have to log in to the local administrator account and then log out to be able to access the domain account again. I checked the domain account, deleted records from the computer in Intune, checked the account on the computer and nothing... any idea what might be going on?

 

[chown33]

Moderation Note

Per site rules, please post replies or discussion only in English.

 

[NT1440]

Is the domain account an On Premise (Active Directory) or an Azure Active Directory account?

If it’s Active Directory, you need line of sight to the domain controller, which is usually accomplished via VPN, for at least the first sign in.

 

[SAFIYE]

Is the domain account an On Premise (Active Directory) or an Azure Active Directory account?

If it’s Active Directory, you need line of sight to the domain controller, which is usually accomplished via VPN, for at least the first sign in.

Hello, it is an active directory account and indeed the first start was made by cable to the corporate network. but from one moment to the next the machine started with this problem. Apparently when starting with the local account it performs some validation that then allows me to access the domain account. Any idea what it could be?

 

[SAFIYE]

Moderation Note

Per site rules, please post replies or discussion only in English.

okay I understand

 

[NT1440]

Hello, it is an active directory account and indeed the first start was made by cable to the corporate network. but from one moment to the next the machine started with this problem. Apparently when starting with the local account it performs some validation that then allows me to access the domain account. Any idea what it could be?

This is a huge wide open question given how many different approaches there are for Intune/MDM management.

My guess is the local account is triggering a VPN that you’re unaware of, then once established that connection remains for the “switch user” task.

This is actually how I set up machines at home for deployment, but I’m manually enabling the VPN from the local account.

I’d strongly recommend reaching out to your SysAdmin to get a better understanding of the structure. I’m only speaking to my own experience and there is much, much more to consider so I wouldn’t be able to speak in anything other than assumptions.

 

[SAFIYE]

This is a huge wide open question given how many different approaches there are for Intune/MDM management.

My guess is the local account is triggering a VPN that you’re unaware of, then once established that connection remains for the “switch user” task.

This is actually how I set up machines at home for deployment, but I’m manually enabling the VPN from the local account.

I’d strongly recommend reaching out to your SysAdmin to get a better understanding of the structure. I’m only speaking to my own experience and there is much, much more to consider so I wouldn’t be able to speak in anything other than assumptions.

I thank you in advance for your response 🥰and in my case the only solution I found was to delete the domain account from the machine and create it again, since nothing I tried worked. even delete all machine logs in InTune. I am baffled because I have never experienced this problem in my company.

 

[SAFIYE]

This is a huge wide open question given how many different approaches there are for Intune/MDM management.

My guess is the local account is triggering a VPN that you’re unaware of, then once established that connection remains for the “switch user” task.

This is actually how I set up machines at home for deployment, but I’m manually enabling the VPN from the local account.

I’d strongly recommend reaching out to your SysAdmin to get a better understanding of the structure. I’m only speaking to my own experience and there is much, much more to consider so I wouldn’t be able to speak in anything other than assumptions.

In the hypothetical case of using Azure, it could be said that the network connection to Azure is definitely not being established when trying to start with the domain account. Please correct me if I'm wrong.

 

[NT1440]

I thank you in advance for your response 🥰and in my case the only solution I found was to delete the domain account from the machine and create it again, since nothing I tried worked. even delete all machine logs in InTune. I am baffled because I have never experienced this problem in my company.

Remember, Intune requires that you’re using Azure Active Directory. So if you’re trying to eliminate the machine from the entire environment simply deleting from Intune is not enough. The next time Azure AD syncs it will show up again.

Another factor, if the machine is domain bound with regular Active Directory you need to delete it there, force a sync on the Azure/Entra AD Connect service and then it will be removed from Intune.

That would in the case of a hybrid setup. Like I said, there’s a lot of moving parts with MDM management.

I’ve only just started experimenting with Intune for the few Macs we have, and I’ve decided to skip the onPrem domain join entirely as I’m trying to move my company to fully cloud based AD in order to simplify things (the only GPO policy I have in place is the MDM enrollment one).

 

[NT1440]

In the hypothetical case of using Azure, it could be said that the network connection to Azure is definitely not being established when trying to start with the domain account. Please correct me if I'm wrong.

I’m not very experienced with the Mac integrations for Azure (yet), but on the windows side (providing you’re not onPrem domain based), once the machine is Intune enrolled you can sign in for the first time by using the full M365 email address for the username. Only a regular internet connection is required. That’s assuming there are no conditional policies in place mandating an active VPN connection.

No idea of that works on a Mac though. I will know in a few weeks when I start trying it out 🤷‍♂️

 

[dmccloud]

I’m not very experienced with the Mac integrations for Azure (yet), but on the windows side (providing you’re not onPrem domain based), once the machine is Intune enrolled you can sign in for the first time by using the full M365 email address for the username. Only a regular internet connection is required. That’s assuming there are no conditional policies in place mandating an active VPN connection.

No idea of that works on a Mac though. I will know in a few weeks when I start trying it out 🤷‍♂️

Unless Microsoft was implementing completely different protocols on Mac as compared to Windows, that process should work regardless of the OS being used.

 

[Yebubbleman]

Are you direct binding to Active Directory? My strong advice is to not and to use something like NoMAD instead. Similarly, if you’re using Intune (and thusly having users that exist on either your Azure AD/Entra ID tenant or both your Azure AD/Entra tenant mixed with your Active Directory environment, you’ll want to use Jamf Connect to facilitate login. Direct binding to Active Directory does you nothing and I’m pretty sure it’s a security risk nowadays.

 

[SAFIYE]

¿Está vinculado directamente a Active Directory? Mi fuerte consejo es no hacerlo y utilizar algo como NoMAD en su lugar. De manera similar, si estás usando Intune (y por lo tanto tienes usuarios que existen en tu inquilino de Azure AD/Entra ID o en tu inquilino de Azure AD/Entra mezclado con tu entorno de Active Directory, querrás usar Jamf Connect para facilitar el inicio de sesión). El enlace directo a Active Directory no aporta nada y estoy bastante seguro de que hoy en día supone un riesgo para la seguridad.

Is correct one is linked directly using the MacOS directory utility. but in the end the solution I had was to delete the domain account on the macbook and create it again. I hope the incident does not happen again. Although it's asking too much, I know it will happen again until I know what the real cause is. I think there is a corrupted domain account service that is only enabled if I first log in to a local account that has no problems.

 

[Yebubbleman]

Is correct one is linked directly using the MacOS directory utility. but in the end the solution I had was to delete the domain account on the macbook and create it again. I hope the incident does not happen again. Although it's asking too much, I know it will happen again until I know what the real cause is. I think there is a corrupted domain account service that is only enabled if I first log in to a local account that has no problems.

Again, I'd STRONGLY advise against binding the Macs directly to Active Directory. It doesn't buy you much and it only brings headache. NoMAD and Jamf Connect functionally accomplish the same thing. Your certificates (which are really the only other difference) can be handled by Intune or any other MDM solution.

Binding to Active Directory never offered much, and it made more sense to bind a Mac to an Open Directory server (back when Mac OS X Server was more prominent) and then have the Open Directory server join Active Directory. Direct binding to Active Directory is just something Windows admins did to feel warm and fuzzy about managing their Macs in close-enough-to-similar of a fashion to managing their Windows fleet. Except...it never worked that way in practice.

 

[NT1440]

Again, I'd STRONGLY advise against binding the Macs directly to Active Directory. It doesn't buy you much and it only brings headache. NoMAD and Jamf Connect functionally accomplish the same thing. Your certificates (which are really the only other difference) can be handled by Intune or any other MDM solution.

Binding to Active Directory never offered much, and it made more sense to bind a Mac to an Open Directory server (back when Mac OS X Server was more prominent) and then have the Open Directory server join Active Directory. Direct binding to Active Directory is just something Windows admins did to feel warm and fuzzy about managing their Macs in close-enough-to-similar of a fashion to managing their Windows fleet. Except...it never worked that way in practice.

Yup. That’s why I’m avoiding it entirely when bringing our Mac users under management.

I worked at ESPN back in the day supporting the issues the Help Desk couldn’t. The amount of domain rejoining I had to do on the Mac’s was unreal, and functionally there was no need or reason for that domain join in the first place.

 

[SAFIYE]

Yup. That’s why I’m avoiding it entirely when bringing our Mac users under management.

I worked at ESPN back in the day supporting the issues the Help Desk couldn’t. The amount of domain rejoining I had to do on the Mac’s was unreal, and functionally there was no need or reason for that domain join in the first place.

You are right, I work in the technical support area of a bank in Chile and I am experiencing continuous cases of this type, unfortunately the bank does not want to invest in jmaf, which is what I proposed, and now they are evaluating buying Work space One from VMWAREA I just hope this situation improves because I can't be deleting and creating accounts every time this happens.

 

[SAFIYE]

Again, I'd STRONGLY advise against binding the Macs directly to Active Directory. It doesn't buy you much and it only brings headache. NoMAD and Jamf Connect functionally accomplish the same thing. Your certificates (which are really the only other difference) can be handled by Intune or any other MDM solution.

Binding to Active Directory never offered much, and it made more sense to bind a Mac to an Open Directory server (back when Mac OS X Server was more prominent) and then have the Open Directory server join Active Directory. Direct binding to Active Directory is just something Windows admins did to feel warm and fuzzy about managing their Macs in close-enough-to-similar of a fashion to managing their Windows fleet. Except...it never worked that way in practice.

I am just discovering the impact of working this way, directly using AD on Macs, it is a terrible experience, I have users who are affected by this problem every day.