Solved

Mac Keychain and Active Directory problems

Posted on 2014-12-01
2
1,995 Views
Last Modified: 2014-12-05
We have a bunch of Mac laptops in our organization.  I am more of a Windows person and don't have much Mac experience.  We have our Active Directory setup to require users to change their passwords every 90 days.  It seems like we are constantly having problems with the Mac users when they change their Active Directory password.  Because we also have a group policy to lock out users after 4 bad password attempts, our Mac users constantly get locked out of their domain accounts because of failed attempts (apparently) when they change their expiring password.  My basic understanding is that the "keychain" thing on the Mac's still contain the old AD passwords and this is why they keep getting locked out.  I also know that in the Keychain access program, there is an option to "change password for keychain logon".  Even when we change this to match the AD password, it still seems to lock users out frequently.  In addition, it seems that MS Outlook (on the macs) still require credentials when the AD password is changed.   My question is, I'd like to understand the AD password on the Mac's better so I can try and find out why users are constantly getting locked out when they reset their passwords.  There still seems to be a missing component even when we set the option to "chane password for keychain access".  In Windows, it's a very simple thing to change your AD password, but it's very different on the Mac (at least it seems).
0
Comment
Question by:jbobst
2 Comments
 
LVL 28

Accepted Solution

by:
serialband earned 500 total points
ID: 40475110
Make sure mac is connected to the domain.
Open System Preferences
Open Users and Groups
Click Change Password


That should change both the AD password and update the keychain password at the same time.

Unfortunately, there are numerous other passwords that a user can save to the keychain and those don't get updated until you visit a page, connect to wireless, etc....  It's best to reboot before you change the password, or, at the very least close your other apps that require a domain password.  That way, those saved keychain passwords don't keep getting called up.  The same thing would happen if you remote desktopped to several systems.  You'd have to log out of each one before changing your password or you'd be locked out as soon as you've changed it.

You'll need to either delete each keychain password and update them with the new passwords or just delete the entire keychain and start over.  (mv ~/Library/Keychains/login.keychain ~/login.keychain.save)  If your users don't know how, then it can be quickly delete or moved aside and a new one will be created.  This will delete all their old save passwords and sometimes that's just simplest.
0
 
LVL 1

Author Comment

by:jbobst
ID: 40483013
Thanks for the help.  We deleted the keychain and seems to work now.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

iCloud Drive was introduced after iOS 8 was launched last year. This drive is Apple’s online storage device that lets users sync their files and access them from all their Apple devices.   There is a lot of data that is not automatically backed up…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question