SBS domain password expiry ignored by Mac OS X
One of my clients has a Microsoft Small Business Server 2003 domain that we set up 2-3 years ago. A few months ago, I updated the Domain Security Policy on the server to increase the time until domain user passwords expire to 90 days. However, the Mac users' passwords are still expiring after just a few weeks. I don't know the exact number of days - it may be 30, it may be 42 (the default SBS value before I updated the password policy) - but it's definitely around once per month, not 90 days.
Can anyone tell me a (free) way of getting the Macs to learn the new "90 days" setting? Doesn't SBS query this when the user logs in to the server?
I am an experienced SBS administrator but still a novice with Macs - I only have 1 client with this PC/Mac mixture. The Macs are a mixture of OS X Tiger, Leopard and Snow Leopard and are properly 'bound' to Active Directory, using network shares, Exchange and shared printers without any trouble. The majority of computers on the network are Windows XP.
Can anyone tell me a (free) way of getting the Macs to learn the new "90 days" setting? Doesn't SBS query this when the user logs in to the server?
I am an experienced SBS administrator but still a novice with Macs - I only have 1 client with this PC/Mac mixture. The Macs are a mixture of OS X Tiger, Leopard and Snow Leopard and are properly 'bound' to Active Directory, using network shares, Exchange and shared printers without any trouble. The majority of computers on the network are Windows XP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi RobWill,
Thanks for taking the time to respond to my question. I've just remotely logged into the server to double-check and it looks like you are onto something.
The OU that I expected all computers to be in is "AD > My Business > Computers > SBSComputers". That's where I can see all 14 Windows PCs (added to the network at various different times) and 1 of the original 4 Macs added 2-3 years ago plus 4 of the 7 Macs added to the network a few months ago. There is also another OU that I expected to be empty: "AD > 'domain'.local > Computers" and in there I can see the remaining 3 original Macs and the remaining 3 Macs added a few months ago.
I would have expected the "SBSComputers" OU to be the place where everything works properly but it seems to be the Macs in there that have the users regularly complaining about password changes and problems. The 3 original Macs in the "AD > 'domain'.local > Computers" OU have the only Mac users that never phone the helpdesk with any problems at all.
Do you think that dragging the Macs that are in "SBSComputers" into the other OU is likely to fix my problem? I know that Group Policy doesn't apply to Macs and it doesn't look like the Domain Security Policy could be applied to anything more specific than the entire AD so I can't think of anything else on the server to check.
Thanks again :-)
Thanks for taking the time to respond to my question. I've just remotely logged into the server to double-check and it looks like you are onto something.
The OU that I expected all computers to be in is "AD > My Business > Computers > SBSComputers". That's where I can see all 14 Windows PCs (added to the network at various different times) and 1 of the original 4 Macs added 2-3 years ago plus 4 of the 7 Macs added to the network a few months ago. There is also another OU that I expected to be empty: "AD > 'domain'.local > Computers" and in there I can see the remaining 3 original Macs and the remaining 3 Macs added a few months ago.
I would have expected the "SBSComputers" OU to be the place where everything works properly but it seems to be the Macs in there that have the users regularly complaining about password changes and problems. The 3 original Macs in the "AD > 'domain'.local > Computers" OU have the only Mac users that never phone the helpdesk with any problems at all.
Do you think that dragging the Macs that are in "SBSComputers" into the other OU is likely to fix my problem? I know that Group Policy doesn't apply to Macs and it doesn't look like the Domain Security Policy could be applied to anything more specific than the entire AD so I can't think of anything else on the server to check.
Thanks again :-)
In order for the SBS client PC group policies to be applied to a computer they do need to be in the MyBusiness\SBSComputers OU, but as mentioned they won't apply to the MAC anyway. I would be tempted to look at the User OU's. Having said that the policy that is most often used for password policies is the "Default Domain Policy" which should apply to all users, however based on the issues you have I am wondering if there could be multiple password policies. It may be difficult to locate. You could run the Group Policy Results wizard in the GP management console to try to isolate what policies are applied to a given user.
ASKER
Hi RobWill,
Apologies for the delay in getting back to you. We had a major disagreement with the client over late payments and almost dumped them so this issue went down the priority list quite a long way! We've got that sorted out now and are working for them again but they've just been burgled over the weekend and half of their office was taken .... so the priorities have changed again.
What I can say, though, is that I looked again at Active Directory, Group Policy and the Domain Security Policy and the only difference that I have been able to identify is the different OU that some of the Mac computers are in. The user that complained recently about having to change his password every 30 days was using a Mac in the SBSComputers OU, whereas most of the other Macs are in the "domain.local > Computers" OU. His was one of the computers that was stolen over the weekend so I am going to put his new Mac into the "domain.local > Computers" OU before he logs onto it for the first time.
We might not know whether the issue is still there for another 30 days but I am going to close this issue now and award the points to you as I am fairly confident that you have pointed me in the right direction.
Thanks again.
Apologies for the delay in getting back to you. We had a major disagreement with the client over late payments and almost dumped them so this issue went down the priority list quite a long way! We've got that sorted out now and are working for them again but they've just been burgled over the weekend and half of their office was taken .... so the priorities have changed again.
What I can say, though, is that I looked again at Active Directory, Group Policy and the Domain Security Policy and the only difference that I have been able to identify is the different OU that some of the Mac computers are in. The user that complained recently about having to change his password every 30 days was using a Mac in the SBSComputers OU, whereas most of the other Macs are in the "domain.local > Computers" OU. His was one of the computers that was stolen over the weekend so I am going to put his new Mac into the "domain.local > Computers" OU before he logs onto it for the first time.
We might not know whether the issue is still there for another 30 days but I am going to close this issue now and award the points to you as I am fairly confident that you have pointed me in the right direction.
Thanks again.
ASKER