Solved

MAC Keychain password issues

Posted on 2013-12-24
7
3,609 Views
1 Endorsement
Last Modified: 2013-12-27
In our network we have some MAC machines that are joined to Active Directory.
When there is an Active directory password change for a user, then most of the time the login keychain password does not sync with AD password, and MAC users will notice those Popups to enter their password each time..

I wonder if there is a way in MAC to synchronize the login keychain password with AD password.

I am not familiar with MAC, so I have read about  different solutions, but have not seen one that talks about just synchronizing Login keychain with AD password.

Any help will be very much appreciated.

Thank you
1
Comment
Question by:jskfan
  • 3
  • 3
7 Comments
 
LVL 53

Assisted Solution

by:strung
strung earned 125 total points
ID: 39739102
There are several solutions suggested here:

https://groups.google.com/forum/#!topic/macenterprise/b2xZttuVkPk

including user education, a terminal command to ensure users are reminded to sync their keychain and a third party application called Keychain Minder Tools.
0
 
LVL 29

Assisted Solution

by:serialband
serialband earned 375 total points
ID: 39740886
Generally, if you change your account password from the Mac, it will also update the Keychain.  Mac users should just make password changes on their Macs.  Don't ever have them change it on another system.
0
 

Author Comment

by:jskfan
ID: 39740926
<<Generally, if you change your account password from the Mac>>

when the password expires in AD, MAC users will call the administrator and will change it for them in AD, then MAC users will be able to login but they will keep getting Pop Ups to enter password for each application they launch. It means there is an out of sync somewhere .
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 29

Assisted Solution

by:serialband
serialband earned 375 total points
ID: 39740979
Then you need to send a password expiration reminder to your Mac Users so they don't get into that situation.  Once they do, your tech support should keep them on the phone and have them start their Keychain Access app to change their keychain password at that time, while they still remember their previous password.

There's an ugly work-around for this is and that's to get them off wired ethernet.  Mac wireless connections are disabled until you log in.  They'll be able to use their old password to log into their Mac until they change it and force the cache to update, which will then also update the keychain password.  While they'll still be able to login with the old password, the new password is needed to connect to file shares and other services.
0
 

Author Comment

by:jskfan
ID: 39740992
<<<Then you need to send a password expiration reminder to your Mac Users so they don't get into that situation.  Once they do, your tech support should keep them on the phone and have them start their Keychain Access app to change their keychain password at that time, while they still remember their previous password>>>.


How do they change the keychain password after the administrator has changed the AD password for them and communicate it to them ?
0
 
LVL 29

Accepted Solution

by:
serialband earned 375 total points
ID: 39741005
Have them start the KeyChain Access.app in /Applications/Utilities/

Once Keychain Access has started, go to Edit --> Change Password for Keychain Login.

It will prompt for the old password and the new password.  The use should enter the old password and whatever new password your admin has set the account to.
0
 

Author Closing Comment

by:jskfan
ID: 39742261
Thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question