The JK Buzz 1.13.2012, in this edition...

OS X 10.7 Lion: The latest on Lion, Accessing Lion's missing Reset Password feature, Lion restore no more

Mac OS X: App Store warning about updating apps

Creative Applications: Hairball with Lion/Photoshop/Suitcase, Adobe Extension Manager Lion bug, Adobe Reader & Acrobat updates and Mac OS X 10.7.2, New QuarkXPress features available in update

Mac OS X Server: Lion Server/Time Machine bug

Tips from the Trenches: Windows AD password expiration prompt cached credential behavior

OS X 10.7 Lion

The latest on Lion

Although it's been over two months since my last JK Buzz, surprisingly there's not much to report in the Mac troubleshooting world. Apple hasn't released any updates to Lion (holding at 10.7.2), and there haven't been any major bug-fix updates to the Mac apps our client's commonly use.

Questions about Lion haven't slowed down though. At least a few times a week I'm asked... "Is it safe to update to Lion?", "What are your current thoughts on Lion?", "Help, I bought a new Mac with Lion!".

Over the last couple of months, Techcare/All Covered has completed a few Lion workstation and server projects. As expected, we've run into a myriad of gotchas, where basic things that should have only taken a few minutes ended up consuming the entire day.

I'm still telling people to avoid Lion on production workstations for as long as possible, but make it a priority to setup Lion on a test Mac ASAP to begin identifying what does and doesn't work within their environment. We've experienced problems with getting older printers to work with Lion, encountered a lot of SMB related issues, found a few older incompatible peripherals, and discovered many strange instability issues (including saving from Photoshop, see the Creative Applications section of this JK Buzz).

The only compelling feature that Lion has to offer, in my opinion, is iCloud. If you own an iPhone or iPad running iOS 5.x, you're probably itching to upgrade your Mac to Lion to begin using this feature. All I can say is, if your Mac is currently running 10.6.8 just fine, upgrading to Lion now is likely going to be an exercise in frustration. At a minimum, make sure you have a full clone of your Mac on an external device before upgrading. Trust me on this.

And don't even get me started about Lion Server. It is by far the worst "upgrade" Apple has churned out in recent memory. It's so NOT ready for primetime I wouldn't even call it beta, it's alpha at best. Why Apple would decide to purposely dumb down things by removing features and options is beyond me, plus Lion Server's new replacement for Samba (SMBX) introduces a whole new era of SMB problems.

If you have no other option, Lion can be made to work for the most part, as long as all of your apps are recent and up to date. Don't underestimate how much time you may need to invest in troubleshooting oddball Lion behavior. Also make sure Macs upgraded to Lion have all available firmware updates applied (this can get easily overlooked when deploying Lion using imaging methods).

As I've stated before, I'd guess Lion will be fairly stable around the 10.7.4 mark... which would mirror when previous OS X released had moved past the initial growing pains phase. Apple is currently seeding the third preview release of 10.7.3 to developers, and it will likely be made public in late January.

Accessing Lion's missing Reset Password feature

With previous versions of Mac OS X, if you booted from an OS X install disc, you could reset any user's password by selecting "Reset Password" from the Utilities menu.

When you boot from a Lion Recovery Disk (Recovery HD partition), you'll find that the "Reset Password" is missing from the Utilities menu. Apple removed this option to satisfy those who considered this a security hole, however the Reset Password utility can still be accessed by selecting Terminal from the Utility menu, then entering resetpassword (followed by a return) in the Terminal window. This will launch the Reset Password utility, which works the same way is it always has. TIP: Don't quit Terminal until you're done with the Reset Password utility, otherwise it'll quit them both.

Lion restore no more

One of Lion's new love-it-or-leave-it features is that when you launch certain applications, they will restore the state they were in when you last quit them. Most Apple apps support this feature, and many third-party apps are beginning to add this support.

Apple accomplishes this feature by writing folders for each application in ~/Library/Saved Application State. This is good to know from a troubleshooting perspective, as if this feature fails to work properly, removing the application's folder from ~/Library/Saved Application State would be the first thing to try to resolve the problem.

If you do not like this feature, it can be disabled in the General system preference pane, by unchecking the option for "Restore windows when quitting and re-opening apps".

Another of Lion's new love-it-or-leave-it features, one that I find extremely annoying, is every time you log out/reboot/shutdown there is a "Reopen windows when logging back in" checkbox on the confirmation screen. This option is ALWAYS checked, and there is (currently) no way to set it to default to unchecked.

Why do I find this so annoying?... In my old school mind, when you power cycle a Mac, it should boot up in a clean state. This is the most basic of troubleshooting steps: "Have you tried rebooting?". Well, the new "Reopen windows when logging back in" feature defeats this, and it's checked by default! So if I have a dozen apps launched, each with several documents or windows open, and I decide to reboot because my Mac is acting funny, AND I forget to uncheck this option... all the apps, documents, and windows are going to reopen upon rebooting and loggin back in. UGH.Apple has changed their VM licensing policy with Lion. Now if you running Lion, you are permitted to run up to two VMs of it... "to install, and run up to two (2) additional copies or instances of the Apple Software within virtual operating system environments on each Mac Computer you own or control that is already running the Apple Software". You still can't legally run Lion as a VM on non-Apple hardware, but this change is a big step in that direction.

Mac OS X

App Store warning about updating apps

A lot of the software available for purchase through Apple's App Store is also available for purchase direct from the developer's website. Typically in these cases, you can also download updates directly from the developer's website.

If you purchase software through the App Store, then later download and apply an update directly from the vendor's website, it will likely confuse the App Store into thinking you've never purchased the software. This means it won't show as purchased in the App Store, and will require re-purchasing it for future updates through the App Store.

So bottom line, if you purchase software through the App Store, keep those software purchases updated using the App Store.

Creative Applications

Hairball with Lion/Photoshop/Suitcase

If you're running Lion, with Suitcase Fusion 3 installed, you may get alerts when saving Photoshop CS5/5.5 files stating "The disk copy of [...] was changed since you last opened or saved it. Do you want to save anyway?".

These alerts occur when saving locally or to a server volume, and tend to only occur after the Photoshop file has been left in an idle state. Clicking OK when the alert comes up allows the file to save, so this false alert is more annoying that anything.

Disabling the Suitcase Photoshop plug-in will prevent these alerts from coming up. If you require Suitcase Fusion 3 to manage fonts in Photoshop, you can add Photoshop to Suitcase's global auto-activation (if you do this, make sure to set Suitcaseas a hidden login item, as this feature only works if Suitcase is running).

Adobe Extension Manager Lion bug

The Adobe Extension Manager is an app that runs side-by-side Adobe CS5/5.5 apps, which lets you manage your Adobe CS extensions. It is installed automatically with Dreamweaver, Flash or Fireworks CS5/5.5, or it can be installed separately using a free download available from Adobe.

If you are running Adobe CS5/5.5 under Lion, you may get an error when attempting to add extensions using the Adobe Extension Manager. Adobe released an update to fix this, available via Adobe's Update Manager, but many people have reported that it won't show if you are running Lion... so if you applied this update prior to upgrading to Lion, your Adobe Extension Manager will work as expected, but if you didn't then you need to manually download the updater from Adobe's site.
http://www.adobe.com/downloads/updates/

Adobe Reader & Acrobat updates and Mac OS X 10.7.2

Adobe recently released 10.1.2 updates for both Adobe Reader and Acrobat Pro, which patch yet another obscure security vulnerability (yawn). The release notes also state that theses 10.1.2 updates provide "Mac OS X 10.7.2 compatibility"... so I guess if you're using either Acrobat Pro or Adobe Reader with Lion, make sure they are patched!

New QuarkXPress features available in update

Quark has released a 9.2 "enhancement" update for QuarkXPress 9, weighing in at over 1GB in size. This free update adds over 25 new ePUB and iOS features, making it easier than ever to create e-books and iPad apps.

Mac OS X Server

Lion Server/Time Machine bug

Apparently if you have a Lion 10.7.2 Server set up as an OD Master, and you're backing it up using Time Machine, and at some point you attempt to do a full system restore using Time Machine... the resulting restore will be non-functional because Time Machine currently can't handle open /var/db files). This was info was sent to me from a friend that I trust, who said he confirmed it with an Apple Enterprise Tech after it happened to him.

Tips from the Trenches

Time to switch gears away from Macs for a bit... This Windows specific tip comes from Brian Wiltse, a senior network operations center analyst with Techcare/All Covered.

"I had a ticket escalated to me to track down the cause of the remote Windows laptop users not receiving notice to change their Active Directory passwords before they expire.

The behavior being experienced happens by design and can only be corrected by a change in workflow. When a Windows system that is part of a domain is turned on it will automatically attempt to apply its network settings for any connected network media typically a physical NIC or Wireless connection. If the network connection can pull an IP address, Windows will then attempt to contact any domain controller on the directly connected LAN. This is where the issue comes into play.

One of two following situations are relevant to our situation that will occur;
Domain controller found
Once a Domain Controller(DC) is process the group policy for the computer account will be applied from the replica set on the DC that was contacted. After the computer policy is applied you are presented with the typical login window. Once the users credentials are supplied the workstation will validate the credentials against the DC. If the authentication is valid the credentials are cached locally in various ways including a copy of the domain password on the local workstations SAM file. The workstation then continues to process the user policy, user logon scripts, and notify the user if they password is expiring soon.

NO Domain controller found
If the DC is not found, the computer will attempt to pull its settings from a cached copy and then present the logon screen. If an attempt to logon to the system is made with a domain user account, the workstations will check to see if the users credentials were previously cached. If the credentials have not been cached they users will be presented with an error that the domain is not available. If the user account has been cached and the credentials match the cached copy the users will be logged to the system, but none of the additionally policy processing can occur because the domain is not available.

This issue occurs more frequently with remote users who VPN into the office, or laptops that normally connect to wireless are not able to establish connections to the DC since the network access to the DC is not available until after logging into the systems. To work around this issue there are a few workflow changes that could make the difference on not having this second situation occur.

Possible solutions

For laptops In the office
Hardwire the laptop to the LAN.
Some Wifi cards allow the machine to automatically join the wireless network, if this is setup the error should not occur.

For remote users who use XP VPN
Enable the option in the Cisco VPN client to VPN before authenticating in Windows.

If neither for the two above solutions are available –
After logging in with the cached credentials VPN into the network, run GPUPDATE /FORCE, lock the machine and log back in.

More information can be found in support.microsoft.com/kb/242536 and support.microsoft.com/kb/913485"