Solved

Mac Keychain and Active Directory problems

Posted on 2014-12-01
2
2,297 Views
Last Modified: 2014-12-05
We have a bunch of Mac laptops in our organization.  I am more of a Windows person and don't have much Mac experience.  We have our Active Directory setup to require users to change their passwords every 90 days.  It seems like we are constantly having problems with the Mac users when they change their Active Directory password.  Because we also have a group policy to lock out users after 4 bad password attempts, our Mac users constantly get locked out of their domain accounts because of failed attempts (apparently) when they change their expiring password.  My basic understanding is that the "keychain" thing on the Mac's still contain the old AD passwords and this is why they keep getting locked out.  I also know that in the Keychain access program, there is an option to "change password for keychain logon".  Even when we change this to match the AD password, it still seems to lock users out frequently.  In addition, it seems that MS Outlook (on the macs) still require credentials when the AD password is changed.   My question is, I'd like to understand the AD password on the Mac's better so I can try and find out why users are constantly getting locked out when they reset their passwords.  There still seems to be a missing component even when we set the option to "chane password for keychain access".  In Windows, it's a very simple thing to change your AD password, but it's very different on the Mac (at least it seems).
0
Comment
Question by:jbobst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
serialband earned 500 total points
ID: 40475110
Make sure mac is connected to the domain.
Open System Preferences
Open Users and Groups
Click Change Password


That should change both the AD password and update the keychain password at the same time.

Unfortunately, there are numerous other passwords that a user can save to the keychain and those don't get updated until you visit a page, connect to wireless, etc....  It's best to reboot before you change the password, or, at the very least close your other apps that require a domain password.  That way, those saved keychain passwords don't keep getting called up.  The same thing would happen if you remote desktopped to several systems.  You'd have to log out of each one before changing your password or you'd be locked out as soon as you've changed it.

You'll need to either delete each keychain password and update them with the new passwords or just delete the entire keychain and start over.  (mv ~/Library/Keychains/login.keychain ~/login.keychain.save)  If your users don't know how, then it can be quickly delete or moved aside and a new one will be created.  This will delete all their old save passwords and sometimes that's just simplest.
0
 
LVL 1

Author Comment

by:jbobst
ID: 40483013
Thanks for the help.  We deleted the keychain and seems to work now.
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question