Solved

Mac Keychain and Active Directory problems

Posted on 2014-12-01
2
1,845 Views
Last Modified: 2014-12-05
We have a bunch of Mac laptops in our organization.  I am more of a Windows person and don't have much Mac experience.  We have our Active Directory setup to require users to change their passwords every 90 days.  It seems like we are constantly having problems with the Mac users when they change their Active Directory password.  Because we also have a group policy to lock out users after 4 bad password attempts, our Mac users constantly get locked out of their domain accounts because of failed attempts (apparently) when they change their expiring password.  My basic understanding is that the "keychain" thing on the Mac's still contain the old AD passwords and this is why they keep getting locked out.  I also know that in the Keychain access program, there is an option to "change password for keychain logon".  Even when we change this to match the AD password, it still seems to lock users out frequently.  In addition, it seems that MS Outlook (on the macs) still require credentials when the AD password is changed.   My question is, I'd like to understand the AD password on the Mac's better so I can try and find out why users are constantly getting locked out when they reset their passwords.  There still seems to be a missing component even when we set the option to "chane password for keychain access".  In Windows, it's a very simple thing to change your AD password, but it's very different on the Mac (at least it seems).
0
Comment
Question by:jbobst
2 Comments
 
LVL 28

Accepted Solution

by:
serialband earned 500 total points
ID: 40475110
Make sure mac is connected to the domain.
Open System Preferences
Open Users and Groups
Click Change Password


That should change both the AD password and update the keychain password at the same time.

Unfortunately, there are numerous other passwords that a user can save to the keychain and those don't get updated until you visit a page, connect to wireless, etc....  It's best to reboot before you change the password, or, at the very least close your other apps that require a domain password.  That way, those saved keychain passwords don't keep getting called up.  The same thing would happen if you remote desktopped to several systems.  You'd have to log out of each one before changing your password or you'd be locked out as soon as you've changed it.

You'll need to either delete each keychain password and update them with the new passwords or just delete the entire keychain and start over.  (mv ~/Library/Keychains/login.keychain ~/login.keychain.save)  If your users don't know how, then it can be quickly delete or moved aside and a new one will be created.  This will delete all their old save passwords and sometimes that's just simplest.
0
 
LVL 1

Author Comment

by:jbobst
ID: 40483013
Thanks for the help.  We deleted the keychain and seems to work now.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now