Solved

Can’t change password on Mac

Posted on 2013-11-22
14
2,034 Views
Last Modified: 2013-12-19
I have connected a number of Macs to a Windows Active Directory server.  All users can login, but when any of them try to change the password a box appears saying ,’You cannot change your password to the password you entered, your system administrator may not allow you to change your password etc…’

Also, if in Active Directory I select an account and set, ‘user must change password at next login’, I then login as that user and I’m prompted to change the password, but any passwords I enter are rejected.

I can’t tell if the problem is caused by something I’ve missed on the server or on the Mac.  Any ideas please?
0
Comment
Question by:grsg
  • 6
  • 4
  • 2
14 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 39672176
Do you have a password policy which the passwords are not meeting? Do you have a password policy with a minimum password age before being allowed to change?
0
 

Author Comment

by:grsg
ID: 39674297
The password policy is set to 8 characters and the usual upper and lower case, numerics and symbols.  I haven't set a minimum password age. Where can I check this?  The box is SBS 2008 standard and I set the policy in the SBS console and there wasn't an option for min password age.
0
 

Author Comment

by:grsg
ID: 39677458
I changed the password age from 2 days to 0 days so users should be able to change their password immediately, but I still can't change passwords
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Expert Comment

by:Learnctx
ID: 39680618
OK a few things to check. Make sure:

You are meeting the password complexity requirements (numbers, upper case, etc).
You are not using a password which has been used before.
You are not using a password which is in the dictionary.
The time on the Mac is synchronized with the root domain controller (normally Windows machines on the domain will automatically sync to the root PDCE).
Mac device name is less than 16 characters.
Mac device name just contains a-z 0-9 and hyphens

A lot of people just use a Windows based machine or a web based service which allows them to change their passwords. Sometimes things go wrong on a Mac in an AD environment. You could try removing the domain config from the Mac and starting again and see how it goes.
0
 

Author Comment

by:grsg
ID: 39687365
Thanks Learnctx,  I have checked that I comply with all of your points and I do.  I can change the passwords using OWA, but that seems unnecessary.  Management also want to be able to force password changes at login and at the moment this isn't possible.  Is there a Group Policy for Macs that I need to modify?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 39694509
Are you trying to change the password through system settings or at the login screen?
0
 

Author Comment

by:grsg
ID: 39697813
I've tried going through System prefs > Accounts and clicking change password in there and I've ticked 'User must change password at next login' on the server, so when the users logs in they are prompted to change the password, but whatever they try to change it to, it's rejected.  Both methods won't allow me to change the passwords.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 39704232
This looks like it might have some promising options: https://discussions.apple.com/message/6890704#6890704. Apart from this I do not know, it seems like obviously some kind of Mac AD integration issue. I would say GPO's are not the problem but as it is a Mac in a Windows environment I suppose anything is possible.
0
 

Author Comment

by:grsg
ID: 39711538
Thanks Learnctx, I've had to wait for an opportunity to try this, hence late reply.  I followed the steps though and it didn't make any difference, I still can't change the passwords.  A new development is that two freshly reinstalled Macs don't have this problem after I join them to the domain, they can change their passwords and work as expected.
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39724219
I gave up on mountain lion doing this along with all the osx that came before. Haven't tried maverics yet though. Something to do with not being able to get a Kerberos ticket but I don't understand the really low level stuff.

Since I have a bunch of laptops and osx binding still doesn't cache password hashes it's basically unusable. I use the free centrify to join. It's free and works great and does hash caching.
0
 

Author Closing Comment

by:grsg
ID: 39729444
Thanks aarontomosky, it sounds like you've had similar difficulties to those that I'm experiencing and Centrify sounds like it will do what I want.  I've been to the site and will try it out.  Thanks for the suggestion. G
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39729788
Here is my short list of steps:
completely Unjoin, reboot, login as a local admin user, make sure you don't have local user accounts with the same names as your AD accounts, install centrify and join.
At this point I open terminal and run "id username" replace username with the actually name. This should return the ad user. Then I run something like
dscl add groups admin username
I don't have the exact syntax on hand but it adds the network user to the local admin group if you want your person to have that, I do.
Then you can reboot and login as them

Don't let centrify map an already existing user to a network user, I had problems with this. Maybe it works better now but the way I listed above works every time.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We could spend the next millennium discussing the differences of the Mac and Windows platforms. The next century will continue to have fanatics on both side of the equation and neither side will win the war. However, that’s not why we are here. W…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question