SBS domain password expiry ignored by Mac OS X

Posted on 2011-05-07
Last Modified: 2013-11-23
One of my clients has a Microsoft Small Business Server 2003 domain that we set up 2-3 years ago.  A few months ago, I updated the Domain Security Policy on the server to increase the time until domain user passwords expire to 90 days.  However, the Mac users' passwords are still expiring after just a few weeks.  I don't know the exact number of days - it may be 30, it may be 42 (the default SBS value before I updated the password policy) - but it's definitely around once per month, not 90 days.  

Can anyone tell me a (free) way of getting the Macs to learn the new "90 days" setting?  Doesn't SBS query this when the user logs in to the server?

I am an experienced SBS administrator but still a novice with Macs - I only have 1 client with this PC/Mac mixture.  The Macs are a mixture of OS X Tiger, Leopard and Snow Leopard and are properly 'bound' to Active Directory, using network shares, Exchange and shared printers without any trouble.  The majority of computers on the network are Windows XP.
Question by:DJNafey
    LVL 3

    Author Comment

    This question must be harder than I thought (I haven't had a response for a couple of days) so I've increased the points.
    LVL 77

    Accepted Solution

    For the record the default is 42 days.

    Group Policy cannot be applied to MAC's so this is a local/server issue. Might there be a different set of policies and OU for your MAC users? This could have a different set of password rules for this set of clients.
    LVL 3

    Author Comment

    Hi RobWill,

    Thanks for taking the time to respond to my question.  I've just remotely logged into the server to double-check and it looks like you are onto something.  

    The OU that I expected all computers to be in is "AD > My Business > Computers > SBSComputers".  That's where I can see all 14 Windows PCs (added to the network at various different times) and 1 of the original 4 Macs added 2-3 years ago plus 4 of the 7 Macs added to the network a few months ago.  There is also another OU that I expected to be empty: "AD > 'domain'.local > Computers" and in there I can see the remaining 3 original Macs and the remaining 3 Macs added a few months ago.

    I would have expected the "SBSComputers" OU to be the place where everything works properly but it seems to be the Macs in there that have the users regularly complaining about password changes and problems.  The 3 original Macs in the "AD > 'domain'.local > Computers" OU have the only Mac users that never phone the helpdesk with any problems at all.  

    Do you think that dragging the Macs that are in "SBSComputers" into the other OU is likely to fix my problem?  I know that Group Policy doesn't apply to Macs and it doesn't look like the Domain Security Policy could be applied to anything more specific than the entire AD so I can't think of anything else on the server to check.

    Thanks again :-)
    LVL 77

    Expert Comment

    by:Rob Williams
    In order for the SBS client PC group policies to be applied to a computer they do need to be in the MyBusiness\SBSComputers OU, but as mentioned they won't apply to the MAC anyway. I would be tempted to look at the User OU's. Having said that the policy that is most often used for password policies is the "Default Domain Policy" which should apply to all users, however based on the issues you have I am wondering if there could be multiple password policies. It may be difficult to locate. You could run the Group Policy Results wizard in the GP management console to try to isolate what policies are applied to a given user.
    LVL 3

    Author Closing Comment

    Hi RobWill,

    Apologies for the delay in getting back to you.  We had a major disagreement with the client over late payments and almost dumped them so this issue went down the priority list quite a long way!  We've got that sorted out now and are working for them again but they've just been burgled over the weekend and half of their office was taken .... so the priorities have changed again.

    What I can say, though, is that I looked again at Active Directory, Group Policy and the Domain Security Policy and the only difference that I have been able to identify is the different OU that some of the Mac computers are in.  The user that complained recently about having to change his password every 30 days was using a Mac in the SBSComputers OU, whereas most of the other Macs are in the "domain.local > Computers" OU.  His was one of the computers that was stolen over the weekend so I am going to put his new Mac into the "domain.local > Computers" OU before he logs onto it for the first time.

    We might not know whether the issue is still there for another 30 days but I am going to close this issue now and award the points to you as I am fairly confident that you have pointed me in the right direction.

    Thanks again.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
    If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now