• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3122
  • Last Modified:

Can’t change password on Mac

I have connected a number of Macs to a Windows Active Directory server.  All users can login, but when any of them try to change the password a box appears saying ,’You cannot change your password to the password you entered, your system administrator may not allow you to change your password etc…’

Also, if in Active Directory I select an account and set, ‘user must change password at next login’, I then login as that user and I’m prompted to change the password, but any passwords I enter are rejected.

I can’t tell if the problem is caused by something I’ve missed on the server or on the Mac.  Any ideas please?
0
grsg
Asked:
grsg
  • 6
  • 4
  • 2
1 Solution
 
LearnctxEngineerCommented:
Do you have a password policy which the passwords are not meeting? Do you have a password policy with a minimum password age before being allowed to change?
0
 
grsgAuthor Commented:
The password policy is set to 8 characters and the usual upper and lower case, numerics and symbols.  I haven't set a minimum password age. Where can I check this?  The box is SBS 2008 standard and I set the policy in the SBS console and there wasn't an option for min password age.
0
 
grsgAuthor Commented:
I changed the password age from 2 days to 0 days so users should be able to change their password immediately, but I still can't change passwords
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LearnctxEngineerCommented:
OK a few things to check. Make sure:

You are meeting the password complexity requirements (numbers, upper case, etc).
You are not using a password which has been used before.
You are not using a password which is in the dictionary.
The time on the Mac is synchronized with the root domain controller (normally Windows machines on the domain will automatically sync to the root PDCE).
Mac device name is less than 16 characters.
Mac device name just contains a-z 0-9 and hyphens

A lot of people just use a Windows based machine or a web based service which allows them to change their passwords. Sometimes things go wrong on a Mac in an AD environment. You could try removing the domain config from the Mac and starting again and see how it goes.
0
 
grsgAuthor Commented:
Thanks Learnctx,  I have checked that I comply with all of your points and I do.  I can change the passwords using OWA, but that seems unnecessary.  Management also want to be able to force password changes at login and at the moment this isn't possible.  Is there a Group Policy for Macs that I need to modify?
0
 
LearnctxEngineerCommented:
Are you trying to change the password through system settings or at the login screen?
0
 
grsgAuthor Commented:
I've tried going through System prefs > Accounts and clicking change password in there and I've ticked 'User must change password at next login' on the server, so when the users logs in they are prompted to change the password, but whatever they try to change it to, it's rejected.  Both methods won't allow me to change the passwords.
0
 
LearnctxEngineerCommented:
This looks like it might have some promising options: https://discussions.apple.com/message/6890704#6890704. Apart from this I do not know, it seems like obviously some kind of Mac AD integration issue. I would say GPO's are not the problem but as it is a Mac in a Windows environment I suppose anything is possible.
0
 
grsgAuthor Commented:
Thanks Learnctx, I've had to wait for an opportunity to try this, hence late reply.  I followed the steps though and it didn't make any difference, I still can't change the passwords.  A new development is that two freshly reinstalled Macs don't have this problem after I join them to the domain, they can change their passwords and work as expected.
0
 
Aaron TomoskyTechnology ConsultantCommented:
I gave up on mountain lion doing this along with all the osx that came before. Haven't tried maverics yet though. Something to do with not being able to get a Kerberos ticket but I don't understand the really low level stuff.

Since I have a bunch of laptops and osx binding still doesn't cache password hashes it's basically unusable. I use the free centrify to join. It's free and works great and does hash caching.
0
 
grsgAuthor Commented:
Thanks aarontomosky, it sounds like you've had similar difficulties to those that I'm experiencing and Centrify sounds like it will do what I want.  I've been to the site and will try it out.  Thanks for the suggestion. G
0
 
Aaron TomoskyTechnology ConsultantCommented:
Here is my short list of steps:
completely Unjoin, reboot, login as a local admin user, make sure you don't have local user accounts with the same names as your AD accounts, install centrify and join.
At this point I open terminal and run "id username" replace username with the actually name. This should return the ad user. Then I run something like
dscl add groups admin username
I don't have the exact syntax on hand but it adds the network user to the local admin group if you want your person to have that, I do.
Then you can reboot and login as them

Don't let centrify map an already existing user to a network user, I had problems with this. Maybe it works better now but the way I listed above works every time.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now