This scenario occurs when you sign in with a personal Microsoft Account, and then add a Work or School organisational (Office 365) account.My aim is to remove a Work or School Account from the PC, so that a different Work or School account can be used.You should be signing in with a Personal Microsoft Account, and the PC should not be on a domain to reproduce this.Steps to repro1. Create a login on the PC using your Personal Microsoft Account2.
Is it possible to force unbind a Mac from Open Directory using command line? I have seen it for AD using dsconfigad but not for OD.
Open Settings Accounts Access work or school3. Click 'Connect'4. Enter the details for your Work or School Organisational Account (NOT another Personal MSA)This will then pull down the policy etc. And link the account to Windows. Seems to work fine, but then if you want to remove the account it is impossible. Open Settings Accounts Access work or school2. Click on the Organisational account you added previously3.
Click on 'Disconnect'4. A prompt will appear asking if you are sure5. A further prompt will appear asking you to disconnect from the organisation7. Click Disconnect8. A yellow error message says 'This PC isn't joined to a domain'This does not appear to be the correct behaviour - It should be possible to remove the account here. The message is technically correct.The device is not on a domain, but this should not stop the account being removed.What I am trying to do, is disconnect one account and add a different one.
Adding two Work or School accounts does not seem to work, so removing the old one first is the only option but this is impossible due to the above mentioned error.Anybody know how to get around this without wiping the whole device?If I have answered your question, please mark it as the correct answer. If I have provided helpful information, please mark it as so. I found a solution for this, it worked for me on multiple devices and accounts.I thought of removing the account from the Microsoft account and switch to local to see if that would make a difference. At first I thought this would disrupt the account and break things, but on a test PC I performed it as a test and it worked. Before continuingmake sure the account in question is an AdministratorSteps:- Settings, Accounts- Select 'instead log on with a local account' and follow the steps- Then logon, go back to accounts, and go to Access to work and school account- Retry the remove and it will work- Last step, go back and change logon to be with Microsoft Account instead of local account. Hi Daniel Harris,What is exact present system version you are using (run 'Winver' to check)? Did the issue only occur with the specific machine?
Have you installed any tool related to Azure AD such as 'Azure Active Directory Sync Tool'?I have tested on a Windows 10.15063.413 Enterprise machine and it is available for me to disconnect the 'Work' Account correctly. I didn't get any notification.
Please update the machine to the latest version then check the symptom again.If the issue occurred with all the machines, I suspect the issue may be related to the Azure AD policy that has been applied to the machine. You may try to ask for help from our Azure AD support.Azure ADregardsPlease remember to mark the replies as answers if they help.If you have feedback for TechNet Subscriber Support, contact. I have the exact same issue, it's on one machineI'm on 10.15063.540. In my case the O365 Account has been moved to another platform (Outlook Premium) and as such the Azure AD users no longer exist, reason for cleaning it up from the respective PC.See picture below. For users on the same machine who don't have admin rights, the disconnect button is just greyed out, making them admin doesn't help.For one other (admin) user on the same device, the remove worked OK, so it seems user specific.One drastic measure could be to remove and reconfigure the users, but that seems rather drastic, hoping to find another way to clean this up. I found a solution for this, it worked for me on multiple devices and accounts.I thought of removing the account from the Microsoft account and switch to local to see if that would make a difference.
At first I thought this would disrupt the account and break things, but on a test PC I performed it as a test and it worked. Before continuingmake sure the account in question is an AdministratorSteps:- Settings, Accounts- Select 'instead log on with a local account' and follow the steps- Then logon, go back to accounts, and go to Access to work and school account- Retry the remove and it will work- Last step, go back and change logon to be with Microsoft Account instead of local account.
You can also use the dscl or id commands to confirm that Mac OS X is bound to Active Directory. For example:client17: cadmin$ dscl /Active Directory/All Domains -list /UsersA successful bind will display a list of users; not shown here. client17: cadmin$ id -p aduser01uid=(aduser01) gid=36262516(PRETENDCOdomain users)groups=36262516(PRETENDCOdomain users),62(netaccounts),12(everyone),402(com.apple.sharepoint.group.1)Binding After ImagingIf you use a standard image for Mac OS X, do not bind the image model to Active Directory before making the master image thatyou will use to image multiple computers. All computers imaged from that master image will use the same computer object inActive Directory, which may cause problems. If you later remove the computer object, all of the Mac OS X computers will beunable to log in with Active Directory user accounts, and you will need to force an unbind, and then rebind each computerto Active Directory.Using DS Debug Error LogsIf the bind fails, enable directory service debug error logging (see “Troubleshooting Directory Services” in Chapter 1), trythe bind again, and look for the phrase “Bind Step” in the DirectoryService.debug.log. You could use the Console application,or at the command line, use the following command:tail –f /Library/Logs/DirectoryService/DirectoryService.debug.log grep 'Bind Step'The following figure shows the this command and the output associated with a successful bind to Active Directory. Confirming DNS ServiceThe binding process is sensitive to DNS records, so make sure that you specify the Active Directory DNS service in the Networkpreference of System Preferences, and that port 53 (UDP and TCP, used for DNS requests and replies) to the DNS service isnot blocked.
If your Active Directory DNS is incorrectly configured, you may experience problems binding Mac OS X to ActiveDirectory.The Active Directory connector requires several DNS service records (SRV) in order to determine which hosts provide certainservices on certain protocols. SRV records use the form Service.Protocol.domain, and the requests are usually in lowercase text. NOTEThere may be network monitoring processes that perceive as hostile the network traffic you generate to test access to theservices, so coordinate with your network and Active Directory administrators before using these techniques.Following are two examples of using telnet to connect to a port, and the replies from the service. The first connects to port 389 for LDAP service, followed by port88 for Kerberos service.
Here are the steps, in detail:. Mac OS X performs a request for LDAP, Kerberos, and Kpasswd DNS service records in the domain. If the short name of the local user differs from the short name of the Active Directory user, change the name of the homefolder.
The following command changes the name of the home folder from “david (Deleted)” to the Active Directory user name“dcolville”:client17: cadmin$ sudo mv '/Users/david (Deleted)' /Users/dcolville. Change the ownership of the files in the preserved home folder so that the Active Directory user is the new owner.
Open Terminaland issue the chown (change ownership) command, which takes the form of:chown options owner:group fileThe option -R changes ownership recursively, so the command changes ownership for the entire home folder. The following chown command changes the owner and group associated with all the files in the home folder:client17: cadmin$ sudo chown -R dcolville:'PRETENDCOdomain users' /Users/dcolville.
Log out as the local administrator account, and then log in as the Active Directory account.Updating Active Directory IndexingAs do other directories, Active Directory indexes the values of commonly requested attributes in order to increase the speedof operations. If your Active Directory implementation contains a large amount of Mac OS X clients, your Mac OS X computersmay request attributes that Active Directory does not index.
Microsoft provides a downloadable Server Performance Advisortool that lets you investigate whether there are any attribute queries that could be sped up by better indexing. Use thistool to determine if there are many requests for attributes that are not indexed, and then use Active Directory tools to addthe unindexed attributes to the list of attributes to index. NOTEOne change with the Active Directory connector in Mac OS X v10.6 is that it will not perform unnecessary queries for the macAddress attribute if that attribute is not part of the computer object class, which is likely the case unless you have extended yourschema.Forcing ReplicationIf the computer object is created in one site but hasn’t been replicated to another, you may not be able to log in until thereplication takes place. You can force replication to take place with standard Active Directory tools.