Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Logging into AD Account While Not Connected to a Network

guzhogi

guzhogi

macrumors 68040
Original poster
Aug 31, 2003
3,772
1,891
Wherever my feet take me…
Hi everyone. I work IT in a school district that mainly uses Apple devices and Open Directory for accounts. I don't really deal with the OD side of things that much, so forgive my ignorance. I'm curious, if we go to Active Directory (probably using Amazon Web Services), could users log into their AD accounts, even if they're not connected to a network? I think yes, if we set up mobile accounts, but a coworker says nope.

I ask because we use a bunch of different services, not all of which can use OD, but can use AD. It would significantly help with keeping passwords consistent. Thanks!
 
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,707
7,278
guzhogi said:
Hi everyone. I work IT in a school district that mainly uses Apple devices and Open Directory for accounts. I don't really deal with the OD side of things that much, so forgive my ignorance. I'm curious, if we go to Active Directory (probably using Amazon Web Services), could users log into their AD accounts, even if they're not connected to a network? I think yes, if we set up mobile accounts, but a coworker says nope.

I ask because we use a bunch of different services, not all of which can use OD, but can use AD. It would significantly help with keeping passwords consistent. Thanks!
Click to expand...
If a user has previously logged into the computer and thus the computer has a cached version of that account, then yes, they'll be able to log in. A new user will not be able to log in while the computer is off the network.
 
  • Like
Reactions: Flint Ironstag
H

hobowankenobi

macrumors 68020
Aug 27, 2015
2,125
935
on the land line mr. smith.
Yes. As stated above, the key is to log in once while on the network, once the machine bound to AD. Then the account is created locally, and the credentials are cached locally, so no network connectivity is required for subsequent log ins....for that account.

This assumes that when the Mac is bound to AD, the box is checked:

Create mobile account at login

More info on options.
 
Last edited:
T

TriBruin

macrumors 6502
Jul 28, 2008
476
1,002
Give serious thought to whether binding to AD is REALLY necessary. For most companies, the primary (or only) reason to bind to AD is to allow users to access network resources (and keep their user accounts/passwords) the same. Apple has introduced an alternate solution called Enterprise Connect (from Apple) or a 3rd party alternative called NoMAD. Effectively you create a local user and EC or NoMAD and links the local account to an AD account. The advantage is that both EC and NoMAD avoids having to create mobile accounts (which have their own problems) while keeping the the passwords between the user account and AD account in sync. Here is a link that gives an overview of EC, NoMAD, and direct binding to AD.

(There is a cool companion to NoMAD call NoLOAD. It replaces the standard Mac Login screen with a customer screen. At the custom login screen, a first time user can login with their AD account and password and NoLOAD will create a local, not mobile, account for the user. The account is NOT linked to the AD account, that would be handled by NoMAD. But, the next version of NoMAD is supposed to create the NoMAD keychain entry from NoLOAD automatically.)
 
satcomer

satcomer

Suspended
Feb 19, 2008
9,115
1,977
The Finger Lakes Region
guzhogi said:
Hi everyone. I work IT in a school district that mainly uses Apple devices and Open Directory for accounts. I don't really deal with the OD side of things that much, so forgive my ignorance. I'm curious, if we go to Active Directory (probably using Amazon Web Services), could users log into their AD accounts, even if they're not connected to a network? I think yes, if we set up mobile accounts, but a coworker says nope.

I ask because we use a bunch of different services, not all of which can use OD, but can use AD. It would significantly help with keeping passwords consistent. Thanks!
Click to expand...

You should put into one center network a strong VPN netwok Server program! Then on the machine from VPN to that setup server at school! The Home client then can log onto the network and do what he/she do without coming into work and be secure to do it if you setup with good security in the server!
 
H

hobowankenobi

macrumors 68020
Aug 27, 2015
2,125
935
on the land line mr. smith.
TriBruin said:
Give serious thought to whether binding to AD is REALLY necessary. For most companies, the primary (or only) reason to bind to AD is to allow users to access network resources (and keep their user accounts/passwords) the same. Apple has introduced an alternate solution called Enterprise Connect (from Apple) or a 3rd party alternative called NoMAD. Effectively you create a local user and EC or NoMAD and links the local account to an AD account. The advantage is that both EC and NoMAD avoids having to create mobile accounts (which have their own problems) while keeping the the passwords between the user account and AD account in sync. Here is a link that gives an overview of EC, NoMAD, and direct binding to AD.
Click to expand...


Yep. Rolling out NoMAD at work, and so far it has been good. One machine had weirdness with updating keychain, but it may have been something else going on. Outside of that one machine, every other machine (all previously bound to AD) have gone well.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom