Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can’t change password on Mac

Posted on 2013-11-22
14
Medium Priority
?
2,822 Views
Last Modified: 2013-12-19
I have connected a number of Macs to a Windows Active Directory server.  All users can login, but when any of them try to change the password a box appears saying ,’You cannot change your password to the password you entered, your system administrator may not allow you to change your password etc…’

Also, if in Active Directory I select an account and set, ‘user must change password at next login’, I then login as that user and I’m prompted to change the password, but any passwords I enter are rejected.

I can’t tell if the problem is caused by something I’ve missed on the server or on the Mac.  Any ideas please?
0
Comment
Question by:grsg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
14 Comments
 
LVL 18

Expert Comment

by:Learnctx
ID: 39672176
Do you have a password policy which the passwords are not meeting? Do you have a password policy with a minimum password age before being allowed to change?
0
 

Author Comment

by:grsg
ID: 39674297
The password policy is set to 8 characters and the usual upper and lower case, numerics and symbols.  I haven't set a minimum password age. Where can I check this?  The box is SBS 2008 standard and I set the policy in the SBS console and there wasn't an option for min password age.
0
 

Author Comment

by:grsg
ID: 39677458
I changed the password age from 2 days to 0 days so users should be able to change their password immediately, but I still can't change passwords
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Learnctx
ID: 39680618
OK a few things to check. Make sure:

You are meeting the password complexity requirements (numbers, upper case, etc).
You are not using a password which has been used before.
You are not using a password which is in the dictionary.
The time on the Mac is synchronized with the root domain controller (normally Windows machines on the domain will automatically sync to the root PDCE).
Mac device name is less than 16 characters.
Mac device name just contains a-z 0-9 and hyphens

A lot of people just use a Windows based machine or a web based service which allows them to change their passwords. Sometimes things go wrong on a Mac in an AD environment. You could try removing the domain config from the Mac and starting again and see how it goes.
0
 

Author Comment

by:grsg
ID: 39687365
Thanks Learnctx,  I have checked that I comply with all of your points and I do.  I can change the passwords using OWA, but that seems unnecessary.  Management also want to be able to force password changes at login and at the moment this isn't possible.  Is there a Group Policy for Macs that I need to modify?
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 39694509
Are you trying to change the password through system settings or at the login screen?
0
 

Author Comment

by:grsg
ID: 39697813
I've tried going through System prefs > Accounts and clicking change password in there and I've ticked 'User must change password at next login' on the server, so when the users logs in they are prompted to change the password, but whatever they try to change it to, it's rejected.  Both methods won't allow me to change the passwords.
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 39704232
This looks like it might have some promising options: https://discussions.apple.com/message/6890704#6890704. Apart from this I do not know, it seems like obviously some kind of Mac AD integration issue. I would say GPO's are not the problem but as it is a Mac in a Windows environment I suppose anything is possible.
0
 

Author Comment

by:grsg
ID: 39711538
Thanks Learnctx, I've had to wait for an opportunity to try this, hence late reply.  I followed the steps though and it didn't make any difference, I still can't change the passwords.  A new development is that two freshly reinstalled Macs don't have this problem after I join them to the domain, they can change their passwords and work as expected.
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 1500 total points
ID: 39724219
I gave up on mountain lion doing this along with all the osx that came before. Haven't tried maverics yet though. Something to do with not being able to get a Kerberos ticket but I don't understand the really low level stuff.

Since I have a bunch of laptops and osx binding still doesn't cache password hashes it's basically unusable. I use the free centrify to join. It's free and works great and does hash caching.
0
 

Author Closing Comment

by:grsg
ID: 39729444
Thanks aarontomosky, it sounds like you've had similar difficulties to those that I'm experiencing and Centrify sounds like it will do what I want.  I've been to the site and will try it out.  Thanks for the suggestion. G
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39729788
Here is my short list of steps:
completely Unjoin, reboot, login as a local admin user, make sure you don't have local user accounts with the same names as your AD accounts, install centrify and join.
At this point I open terminal and run "id username" replace username with the actually name. This should return the ad user. Then I run something like
dscl add groups admin username
I don't have the exact syntax on hand but it adds the network user to the local admin group if you want your person to have that, I do.
Then you can reboot and login as them

Don't let centrify map an already existing user to a network user, I had problems with this. Maybe it works better now but the way I listed above works every time.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question