Mac Keychain and Active Directory problems

We have a bunch of Mac laptops in our organization.  I am more of a Windows person and don't have much Mac experience.  We have our Active Directory setup to require users to change their passwords every 90 days.  It seems like we are constantly having problems with the Mac users when they change their Active Directory password.  Because we also have a group policy to lock out users after 4 bad password attempts, our Mac users constantly get locked out of their domain accounts because of failed attempts (apparently) when they change their expiring password.  My basic understanding is that the "keychain" thing on the Mac's still contain the old AD passwords and this is why they keep getting locked out.  I also know that in the Keychain access program, there is an option to "change password for keychain logon".  Even when we change this to match the AD password, it still seems to lock users out frequently.  In addition, it seems that MS Outlook (on the macs) still require credentials when the AD password is changed.   My question is, I'd like to understand the AD password on the Mac's better so I can try and find out why users are constantly getting locked out when they reset their passwords.  There still seems to be a missing component even when we set the option to "chane password for keychain access".  In Windows, it's a very simple thing to change your AD password, but it's very different on the Mac (at least it seems).
LVL 1
jbobstAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

serialbandCommented:
Make sure mac is connected to the domain.
Open System Preferences
Open Users and Groups
Click Change Password


That should change both the AD password and update the keychain password at the same time.

Unfortunately, there are numerous other passwords that a user can save to the keychain and those don't get updated until you visit a page, connect to wireless, etc....  It's best to reboot before you change the password, or, at the very least close your other apps that require a domain password.  That way, those saved keychain passwords don't keep getting called up.  The same thing would happen if you remote desktopped to several systems.  You'd have to log out of each one before changing your password or you'd be locked out as soon as you've changed it.

You'll need to either delete each keychain password and update them with the new passwords or just delete the entire keychain and start over.  (mv ~/Library/Keychains/login.keychain ~/login.keychain.save)  If your users don't know how, then it can be quickly delete or moved aside and a new one will be created.  This will delete all their old save passwords and sometimes that's just simplest.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbobstAuthor Commented:
Thanks for the help.  We deleted the keychain and seems to work now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple OS

From novice to tech pro — start learning today.