Solved

MAC Keychain password issues

Posted on 2013-12-24
7
3,522 Views
1 Endorsement
Last Modified: 2013-12-27
In our network we have some MAC machines that are joined to Active Directory.
When there is an Active directory password change for a user, then most of the time the login keychain password does not sync with AD password, and MAC users will notice those Popups to enter their password each time..

I wonder if there is a way in MAC to synchronize the login keychain password with AD password.

I am not familiar with MAC, so I have read about  different solutions, but have not seen one that talks about just synchronizing Login keychain with AD password.

Any help will be very much appreciated.

Thank you
1
Comment
Question by:jskfan
  • 3
  • 3
7 Comments
 
LVL 53

Assisted Solution

by:strung
strung earned 125 total points
ID: 39739102
There are several solutions suggested here:

https://groups.google.com/forum/#!topic/macenterprise/b2xZttuVkPk

including user education, a terminal command to ensure users are reminded to sync their keychain and a third party application called Keychain Minder Tools.
0
 
LVL 28

Assisted Solution

by:serialband
serialband earned 375 total points
ID: 39740886
Generally, if you change your account password from the Mac, it will also update the Keychain.  Mac users should just make password changes on their Macs.  Don't ever have them change it on another system.
0
 

Author Comment

by:jskfan
ID: 39740926
<<Generally, if you change your account password from the Mac>>

when the password expires in AD, MAC users will call the administrator and will change it for them in AD, then MAC users will be able to login but they will keep getting Pop Ups to enter password for each application they launch. It means there is an out of sync somewhere .
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 28

Assisted Solution

by:serialband
serialband earned 375 total points
ID: 39740979
Then you need to send a password expiration reminder to your Mac Users so they don't get into that situation.  Once they do, your tech support should keep them on the phone and have them start their Keychain Access app to change their keychain password at that time, while they still remember their previous password.

There's an ugly work-around for this is and that's to get them off wired ethernet.  Mac wireless connections are disabled until you log in.  They'll be able to use their old password to log into their Mac until they change it and force the cache to update, which will then also update the keychain password.  While they'll still be able to login with the old password, the new password is needed to connect to file shares and other services.
0
 

Author Comment

by:jskfan
ID: 39740992
<<<Then you need to send a password expiration reminder to your Mac Users so they don't get into that situation.  Once they do, your tech support should keep them on the phone and have them start their Keychain Access app to change their keychain password at that time, while they still remember their previous password>>>.


How do they change the keychain password after the administrator has changed the AD password for them and communicate it to them ?
0
 
LVL 28

Accepted Solution

by:
serialband earned 375 total points
ID: 39741005
Have them start the KeyChain Access.app in /Applications/Utilities/

Once Keychain Access has started, go to Edit --> Change Password for Keychain Login.

It will prompt for the old password and the new password.  The use should enter the old password and whatever new password your admin has set the account to.
0
 

Author Closing Comment

by:jskfan
ID: 39742261
Thank you
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now