Mac network accounts are unavailable – macOS Sierra, High Sierra

Applies to: macOS Sierra, macOS High Sierra, Active Directory 2008 R2 functional level and greater, Windows Security Baselines for Active Directory

Our environment currently consists of Mac computers that are bound to Active Directory. Recently we deployed some new Active Directory 2016 domain controllers within our environment.  These domain controllers also have a Windows Security Baseline applied as a GPO for security purposes. Windows Security Baselines can be found here.

We immediately started to see issues with Mac computers related to the all familiar “Network Accounts are Unavailable” error message at login screen.


After extensive troubleshooting, we determined that the problem was with the Windows Security Baselines that were being applied to the domain controllers. And more specifically this setting in particular:

Domain controller: LDAP server signing requirements 
Value =Require signing

Here is the link to the reference article for this security setting.

So by default, the macOS Directory client does not sign and encrypt the LDAP connections that are used to communicate with Active Directory.  The Open Directory client can sign and encrypt LDAP connections with the following configurations:

dsconfigad -packetencrypt ssl


/usr/bin/security add-trusted-cert -d -p basic -k /Library/Keychains/System.keychain <path/to/certificate/file>

These commands are defined in the Packet signing and encryption section of the following apple support article:

Hope this helps!

About Parker Jardine

Manager of Systems Administration in the Information Technology Higher Education space. I enjoy biking, climbing, hockey, camping, mountaineering, hunting, paragliding, and just being outdoors. You can read my Make Magazine project articles about a diy solar panel and solar systems design in volumes 12 and 14.
This entry was posted in Active Directory, macOS, Security, Windows Security Baselines and tagged , , , , . Bookmark the permalink.

1 Response to Mac network accounts are unavailable – macOS Sierra, High Sierra

  1. Lipa says:

    If you have a RADIUS server, check RADIUS certificate trust. For us, it didn’t work, cause MacOS hasn’t trusted RADIUS certificate.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s