Solved

Macs not logging in if "user must change password at next login" is checked in their ad account

Posted on 2016-09-26
11
54 Views
Last Modified: 2016-10-03
We use active directory and the macs at one of the schools seem to have an issue logging in if the user has "user must change password at next logon" checked off.  If I uncheck it they can login just fine but if they are required to change their password it does not login. Any idea what might be causing this?
0
Comment
Question by:Roccat
  • 6
  • 3
  • 2
11 Comments
 
LVL 8

Assisted Solution

by:Tim Lapin
Tim Lapin earned 250 total points
ID: 41816102
Which versions of Mac OS  and AD are you running?  Have they been patched to most recent levels for their respective versions?

One option:  OWA
Do you have an exchange server with OWA (Outlook Web Access) enabled as well?  Is it set to use the domain password for mail?  If so, try having one one of the Mac users log in via OWA and change the password that way.  I have read some stuff that indicates it might work for you.

Other people use a product called Centrify.  I have no experience with it but I mention it in case it might help you.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816133
Are the Macs joined to the domain?
0
 

Author Comment

by:Roccat
ID: 41816152
The macs are joined to the domain. We have a few thousand. They all seem to work fine except this lab it seems.   We don't use outlook web access.  I have heard of centrify but we have not needed it in the past because things usually work fine.  I believe things are updated fully.
0
 

Author Comment

by:Roccat
ID: 41816156
The macs in question are 10.9.5  The domain functional level is still at 2003.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816190
Have you compared the AD binding settings between one that works and one in the lab to see if there are any differences that might account for this behavior?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Roccat
ID: 41816195
Yeah. I have compared. Rebinded multiple times.  Settings look to be the same.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 250 total points
ID: 41823372
Have you tried having one of those users log onto a Mac somewhere else; assuming they have rights to do so, or have you tried physically moving one of those Macs to another lab or building?  This would help rule out something in the network or the actual OS X install on one of the problem Macs.
0
 

Author Comment

by:Roccat
ID: 41823383
Yeah, i tried that user account on a mac on my desk and it works fine.  Just seems to be this lab.
0
 
LVL 8

Accepted Solution

by:
Tim Lapin earned 250 total points
ID: 41823701
You mentioned that the macs in question are all Mavericks (10.9.5) machines.  Are the ones that are working fine also running Mavericks?

What happens if you swap two Macs (one from the problem lab and one from a working area)?  Does the problem follow the computer or stay within the lab?
0
 

Author Comment

by:Roccat
ID: 41826923
There are working mavericks machines .  I will try that when I have a chance to visit the site.
0
 

Author Closing Comment

by:Roccat
ID: 41826925
Thanks!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

The /etc/authorization file in Mac OS X 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only adm…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now