Friday, August 12, 2011

"Network accounts are unavailable" when logging into OS X Lion

Update: 3/27/12

I essentially gave up with the Mac Mini waiting on an update that solves the problem, and apparently 10.7.3 completely flew under my radar. I had read 10.7.2 still had issues, but in 10.7.3 one of the primary bugs Apple says they fixed is authentication with directory services. I had to get my first new Mac in a while this past weekend and was going to back rev it to run Snow Leopard, which turns out to be a pain. If you're looking to do it, check this article. Essentially you need a second Mac running Lion in order to use Target Disk Mode to install Snow Leopard on the machine.

In the testing I did today after updating to 10.7.3, it appears that both mobile accounts and the network unavailable issue have been fixed. The network unavailable may still show up for a little bit, but it disappeared for me within a minute. Having mobile accounts working also makes it easier since after the first login the user won't need to wait for the network account availability to change.

Update: 8/19/11
Apple released 10.7.1 yesterday, so I'm curious to see if it resolves these issues with network accounts. I'll have a chance to test it next week and will update this with what I find. If you're reading this and already tried it please leave a comment as to whether or not it works for you

Original Post

If you use Active Directory user accounts with your Macs, you may run into this issue after upgrading or introducing OS X Lion. Hopefully Apple comes out with an update to fix it soon, but in the meantime there is a workaround. You can add a custom search path to the Authentication tab and that seems to work. Here's a walkthrough:

1. Open System Preferences
2. Go to User & Groups
3. Click Login Options in the lower left. You may have to authenticate first by clicking the lock icon in the lower left.
4. Under Network Account Server, click Edit
5. Select your domain, then click Open Directory Utility
6. At the top, select Search Policy
7. Under the Authentication tab you should see two paths: /Local/Default, and /Active Directory/YourDomain/All Domains, where YourDomain is a placeholder for the name of your domain name. Click the + to add another
8. You should see /Active Directory/YourDomain listed as an additional option. Select it and click Add
9. Move /Active Directory/YourDomain above /Active Directory/YourDomain/All Domains so it has a higher priority
10. Click Apply
11. Reboot and log in

Thanks to juiced2010 at for posting that the solution.


Joe Bell said...

Brilliant - saved me quite a bit of time, everything was exactly as listed in the steps and worked after adding the /Active Directory/YourDomain to the search path.

rslygh said...

Glad to hear it, and hopefully this article will not be needed soon. It all depends on Apple getting their 10.7.2 update out there for the general public, which supposedly has fixes for multiple issues in Lion with regards to Active Directory accounts.

Anonymous said...

You really are a STAR. I've had a "broken" Mac ever since I upgraded to Lion. You suggestion to add the new AD domain has fixed my mchine and I am now logged onto the AD domain

Anonymous said...

Thanks a lot !!! I can start enyoing my mac again after the upgrade to lion.


Anonymous said...

Problems at step 7, I dont even have a + sign there so I cant add.

Running 10.7.2, with admin privileges

Here's a screenshot

EchoKev said...

We just got a Mac mini with 7.0.2 installed and it has the same issues, and these changes don't seem to have an effect.

If you have any other ideas we would appreciate it.

rslygh said...

Anonymous, for your screenshot it appears as if the machine is not bound correctly to the Active Directory domain. That's why you don't see what is described in step #7. All you have is the local accounts mapped for authentication. I would suggest rejoining the computer to Active Directory and then looking again. When joined to AD properly, the authentication path will automatically be added there for you to see.

EchoKev, I don't have any other ideas at this time and haven't had much of an opportunity to research this further. However, I do know that a lot of people have said that 10.7.2 was not the fix-all solution they were hoping for. I may have a chance later in the week to do some more testing again, and will post the results of anything I find that may be interesting.

Tom said...

Hi rslygh,

I'm currently researching this issue because I have the same AD behavior with my macs here at the office. Unfortunately your solutions doesn't work for me either.

Somewhere I found the hint, that 7.0.3 is seeded already and that the issue seems to be resolved there... at least for some of the few lucky testers so far. ;-)

Thank you for your work and cheers


Bo said...

This helped me tremendously today.

Thanks a lot for the fix!

Dwayne Yuen said...

I am using Mountain Lion and under step 8 I do not see the additional option of /Active Directory/YourDomain. There are no additional options for me to select. Do you have any recommendations with how to proceed from here?


rslygh said...

I haven't touched Mountain Lion yet, but know that these steps are no longer needing as of Lion 10.7.3. If you're having problems in Mountain Lion I'm sorry, but the Apple support forums are probably your best bet.