Solved

Can’t change password on Mac

Posted on 2013-11-22
14
1,884 Views
Last Modified: 2013-12-19
I have connected a number of Macs to a Windows Active Directory server.  All users can login, but when any of them try to change the password a box appears saying ,’You cannot change your password to the password you entered, your system administrator may not allow you to change your password etc…’

Also, if in Active Directory I select an account and set, ‘user must change password at next login’, I then login as that user and I’m prompted to change the password, but any passwords I enter are rejected.

I can’t tell if the problem is caused by something I’ve missed on the server or on the Mac.  Any ideas please?
0
Comment
Question by:grsg
  • 6
  • 4
  • 2
14 Comments
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
Do you have a password policy which the passwords are not meeting? Do you have a password policy with a minimum password age before being allowed to change?
0
 

Author Comment

by:grsg
Comment Utility
The password policy is set to 8 characters and the usual upper and lower case, numerics and symbols.  I haven't set a minimum password age. Where can I check this?  The box is SBS 2008 standard and I set the policy in the SBS console and there wasn't an option for min password age.
0
 

Author Comment

by:grsg
Comment Utility
I changed the password age from 2 days to 0 days so users should be able to change their password immediately, but I still can't change passwords
0
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
OK a few things to check. Make sure:

You are meeting the password complexity requirements (numbers, upper case, etc).
You are not using a password which has been used before.
You are not using a password which is in the dictionary.
The time on the Mac is synchronized with the root domain controller (normally Windows machines on the domain will automatically sync to the root PDCE).
Mac device name is less than 16 characters.
Mac device name just contains a-z 0-9 and hyphens

A lot of people just use a Windows based machine or a web based service which allows them to change their passwords. Sometimes things go wrong on a Mac in an AD environment. You could try removing the domain config from the Mac and starting again and see how it goes.
0
 

Author Comment

by:grsg
Comment Utility
Thanks Learnctx,  I have checked that I comply with all of your points and I do.  I can change the passwords using OWA, but that seems unnecessary.  Management also want to be able to force password changes at login and at the moment this isn't possible.  Is there a Group Policy for Macs that I need to modify?
0
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
Are you trying to change the password through system settings or at the login screen?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:grsg
Comment Utility
I've tried going through System prefs > Accounts and clicking change password in there and I've ticked 'User must change password at next login' on the server, so when the users logs in they are prompted to change the password, but whatever they try to change it to, it's rejected.  Both methods won't allow me to change the passwords.
0
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
This looks like it might have some promising options: https://discussions.apple.com/message/6890704#6890704. Apart from this I do not know, it seems like obviously some kind of Mac AD integration issue. I would say GPO's are not the problem but as it is a Mac in a Windows environment I suppose anything is possible.
0
 

Author Comment

by:grsg
Comment Utility
Thanks Learnctx, I've had to wait for an opportunity to try this, hence late reply.  I followed the steps though and it didn't make any difference, I still can't change the passwords.  A new development is that two freshly reinstalled Macs don't have this problem after I join them to the domain, they can change their passwords and work as expected.
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
Comment Utility
I gave up on mountain lion doing this along with all the osx that came before. Haven't tried maverics yet though. Something to do with not being able to get a Kerberos ticket but I don't understand the really low level stuff.

Since I have a bunch of laptops and osx binding still doesn't cache password hashes it's basically unusable. I use the free centrify to join. It's free and works great and does hash caching.
0
 

Author Closing Comment

by:grsg
Comment Utility
Thanks aarontomosky, it sounds like you've had similar difficulties to those that I'm experiencing and Centrify sounds like it will do what I want.  I've been to the site and will try it out.  Thanks for the suggestion. G
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Here is my short list of steps:
completely Unjoin, reboot, login as a local admin user, make sure you don't have local user accounts with the same names as your AD accounts, install centrify and join.
At this point I open terminal and run "id username" replace username with the actually name. This should return the ad user. Then I run something like
dscl add groups admin username
I don't have the exact syntax on hand but it adds the network user to the local admin group if you want your person to have that, I do.
Then you can reboot and login as them

Don't let centrify map an already existing user to a network user, I had problems with this. Maybe it works better now but the way I listed above works every time.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now