Fix Locked Active Directory Account on MacOS
If you ever get the “Your Account is Locked” message in MacOS with an AD user account, these steps solved the issue for me. You’ll need access to the admin account and the locked user’s account credentials.
- Log in as computer admin
- Rename the user’s profile so we can restore from it later
bash sudo mv /Users/username /Users/usernameX
- You may need to grant Terminal permissions for this. Navigate to System Preferences > Security & Privacy. Under the “Full Disk Access” settings you’ll check the box to allow Terminal.
- Delete the user account from System Preferences > Users & Groups
- Manually create a new mobile account for the user
bash sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
- Ensure that the Directory Services Cache has the user account
bash sudo dscacheutil -q user -a name username
- Stop the trust account password from changing
bash sudo dsconfigad -passinterval 0
- Log in as the new user to create their mobile account
- Enter the username
- Enter the user’s password
- Remove the new user home directory
bash sudo mv /Users/username /Users/username_Del
- Restore the old user home directory
bash sudo mv /Users/usernameX /Users/username
- Restart the computer
You should now be able to log in as the Active Directory user.
Credit to this helpful user on the Apple forums.