Can’t change password on Mac

Do you have a password policy which the passwords are not meeting? Do you have a password policy with a minimum password age before being allowed to change?

The password policy is set to 8 characters and the usual upper and lower case, numerics and symbols.  I haven't set a minimum password age. Where can I check this?  The box is SBS 2008 standard and I set the policy in the SBS console and there wasn't an option for min password age.

I changed the password age from 2 days to 0 days so users should be able to change their password immediately, but I still can't change passwords

OK a few things to check. Make sure:


A lot of people just use a Windows based machine or a web based service which allows them to change their passwords. Sometimes things go wrong on a Mac in an AD environment. You could try removing the domain config from the Mac and starting again and see how it goes.

Thanks Learnctx,  I have checked that I comply with all of your points and I do.  I can change the passwords using OWA, but that seems unnecessary.  Management also want to be able to force password changes at login and at the moment this isn't possible.  Is there a Group Policy for Macs that I need to modify?

Are you trying to change the password through system settings or at the login screen?

I've tried going through System prefs > Accounts and clicking change password in there and I've ticked 'User must change password at next login' on the server, so when the users logs in they are prompted to change the password, but whatever they try to change it to, it's rejected.  Both methods won't allow me to change the passwords.

This looks like it might have some promising options: https://discussions.apple.com/message/6890704#6890704. Apart from this I do not know, it seems like obviously some kind of Mac AD integration issue. I would say GPO's are not the problem but as it is a Mac in a Windows environment I suppose anything is possible.

Thanks Learnctx, I've had to wait for an opportunity to try this, hence late reply.  I followed the steps though and it didn't make any difference, I still can't change the passwords.  A new development is that two freshly reinstalled Macs don't have this problem after I join them to the domain, they can change their passwords and work as expected.

Thanks aarontomosky, it sounds like you've had similar difficulties to those that I'm experiencing and Centrify sounds like it will do what I want.  I've been to the site and will try it out.  Thanks for the suggestion. G

Here is my short list of steps:
completely Unjoin, reboot, login as a local admin user, make sure you don't have local user accounts with the same names as your AD accounts, install centrify and join.
At this point I open terminal and run "id username" replace username with the actually name. This should return the ad user. Then I run something like
dscl add groups admin username
I don't have the exact syntax on hand but it adds the network user to the local admin group if you want your person to have that, I do.
Then you can reboot and login as them

Don't let centrify map an already existing user to a network user, I had problems with this. Maybe it works better now but the way I listed above works every time.