After upgrading to Mac OS X 10.13, newly added AD users are not able to login to the Mac via loginwindow.
However, after running login / id command in terminal manually, the user will then able to login at the loginwindow.
If there is an existing group “com.apple.access_loginwindow” from previous OS X version and upgraded to OS X 10.13, “netaccounts” group will not be added to the network user by the system during the initial query, causing loginwindow denying the user login.
“Netaccounts” is added to the user so it can login and it’s controlled by the system itself.
This issue only happens on OS X 10.13 and we have already filed an Apple bug for Apple Support - #41965842 - Network user cannot login when it is first created when the group com.apple.access_loginwindow exist
Manually remove the com.apple.access_loginwindow group will resolve the login issue on OS X 10.13 by running the command below in terminal:
sudo dscl . -delete /Groups/com.apple.access_loginwindow
The issue has already been fixed by Apple on OS X 10.14 beta 3.