Mobile user can't log in

[dpodblood]

Hey Guys,

I recently started a job as a sysadmin for a medium sized company. We are running a Windows 2008 domain with a mix of PC and Mac client machines. I recently set up a Mac Book air for a traveling sales associate. While the user was on-site I had him log into his account and in the domain preferences I checked off "create mobile account at login." My assumption (because it has worked in the past) was that when the user goes offsite his domain credentials will be cached on the machine and he will still be able to log in. Well the user is now back on the road, and already his domain creds are not working leaving him no way to log on or get access to his stuff. So 2 questions.

1) What could I have done wrong, and what must I do in the future to ensure that mobile users will be able to log in?

2) What can I do to fix this issue now that the user is on the road and I have no access to his computer?

Oh and this particular machine is on Mac OS Lion.

Thanks.

 

[dpodblood]

Found a solution and documented it in case anyone runs into the same issue:

How to Log In a Remote Domain User Without a Mobile Account​

If you have a user working remotely from their MacBook who does not yet have a “mobile account” created on the machine it is still possible to have that user log in. This will require some sort of local/admin user account for the user to log in with as well as a VPN connection to the domain.
With the user logged in using a local admin account go to:
1) Apple menu > System preferences > Network.
2) Unlock the screen with the lock icon in order to make changes.
3) Select the VPN account and click “advanced.”
4) Uncheck the options for “disconnect when switching user accounts” and “disconnect when user logs out.”
5) Make sure “send all traffic over VPN connection” is selected.
6) Click OK and close system preferences.
Now connect the VPN using the user’s domain credentials. You can do this either through system preferences, or if the option was selected through the icon on the menu bar. Once the VPN is successfully connected, either log off, or go to the logon window by using the user menu located in the upper right hand side of the screen.
Now at the login window the VPN should remain connected. Have the user log in using their domain credentials. This may take longer than usual, but should be successful.
Now with the user logged in go to:
1) Apple menu > System preferences > Users & Groups.
2) Unlock the screen with the lock icon in order to make changes.
3) Next to mobile account click “create.”
4) At the following screen leave the defaults and click create.
5) Once more click “create” to confirm.


The user will now be able log on even when disconnected from the network or the VPN. As your last step you should re-check the options for “disconnect when switching user accounts” and “disconnect when user logs out” In network settings.
Note: An option in the active directory advanced settings does allow a mobile account to be created automatically upon logon, however this option does not always work, and so it should not be relied upon.

 

[TheStu]

Glad you got it worked out, and thanks for actually posting the answer instead of just deleting the original post and say 'n/m got it!'.

 

[dpodblood]

I know what it feels like to Google something and not come up with an answer. Hopefully this will help someone somewhere down the road.