Solved

Mac Keychain and Active Directory problems

Posted on 2014-12-01
2
1,664 Views
Last Modified: 2014-12-05
We have a bunch of Mac laptops in our organization.  I am more of a Windows person and don't have much Mac experience.  We have our Active Directory setup to require users to change their passwords every 90 days.  It seems like we are constantly having problems with the Mac users when they change their Active Directory password.  Because we also have a group policy to lock out users after 4 bad password attempts, our Mac users constantly get locked out of their domain accounts because of failed attempts (apparently) when they change their expiring password.  My basic understanding is that the "keychain" thing on the Mac's still contain the old AD passwords and this is why they keep getting locked out.  I also know that in the Keychain access program, there is an option to "change password for keychain logon".  Even when we change this to match the AD password, it still seems to lock users out frequently.  In addition, it seems that MS Outlook (on the macs) still require credentials when the AD password is changed.   My question is, I'd like to understand the AD password on the Mac's better so I can try and find out why users are constantly getting locked out when they reset their passwords.  There still seems to be a missing component even when we set the option to "chane password for keychain access".  In Windows, it's a very simple thing to change your AD password, but it's very different on the Mac (at least it seems).
0
Comment
Question by:jbobst
2 Comments
 
LVL 27

Accepted Solution

by:
serialband earned 500 total points
ID: 40475110
Make sure mac is connected to the domain.
Open System Preferences
Open Users and Groups
Click Change Password


That should change both the AD password and update the keychain password at the same time.

Unfortunately, there are numerous other passwords that a user can save to the keychain and those don't get updated until you visit a page, connect to wireless, etc....  It's best to reboot before you change the password, or, at the very least close your other apps that require a domain password.  That way, those saved keychain passwords don't keep getting called up.  The same thing would happen if you remote desktopped to several systems.  You'd have to log out of each one before changing your password or you'd be locked out as soon as you've changed it.

You'll need to either delete each keychain password and update them with the new passwords or just delete the entire keychain and start over.  (mv ~/Library/Keychains/login.keychain ~/login.keychain.save)  If your users don't know how, then it can be quickly delete or moved aside and a new one will be created.  This will delete all their old save passwords and sometimes that's just simplest.
0
 
LVL 1

Author Comment

by:jbobst
ID: 40483013
Thanks for the help.  We deleted the keychain and seems to work now.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article describes in detail how to set up the iPad in the Enterprise using iPCU aka iPhone Configuration Utility.  This could also be used for the iPhone although I have not detailed out any differences. Preparation as an iPad Administrator:…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now