Solved

Macs not logging in if "user must change password at next login" is checked in their ad account

Posted on 2016-09-26
11
157 Views
Last Modified: 2016-10-03
We use active directory and the macs at one of the schools seem to have an issue logging in if the user has "user must change password at next logon" checked off.  If I uncheck it they can login just fine but if they are required to change their password it does not login. Any idea what might be causing this?
0
Comment
Question by:Roccat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 9

Assisted Solution

by:Tim Lapin
Tim Lapin earned 250 total points
ID: 41816102
Which versions of Mac OS  and AD are you running?  Have they been patched to most recent levels for their respective versions?

One option:  OWA
Do you have an exchange server with OWA (Outlook Web Access) enabled as well?  Is it set to use the domain password for mail?  If so, try having one one of the Mac users log in via OWA and change the password that way.  I have read some stuff that indicates it might work for you.

Other people use a product called Centrify.  I have no experience with it but I mention it in case it might help you.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816133
Are the Macs joined to the domain?
0
 

Author Comment

by:Roccat
ID: 41816152
The macs are joined to the domain. We have a few thousand. They all seem to work fine except this lab it seems.   We don't use outlook web access.  I have heard of centrify but we have not needed it in the past because things usually work fine.  I believe things are updated fully.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Roccat
ID: 41816156
The macs in question are 10.9.5  The domain functional level is still at 2003.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816190
Have you compared the AD binding settings between one that works and one in the lab to see if there are any differences that might account for this behavior?
0
 

Author Comment

by:Roccat
ID: 41816195
Yeah. I have compared. Rebinded multiple times.  Settings look to be the same.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 250 total points
ID: 41823372
Have you tried having one of those users log onto a Mac somewhere else; assuming they have rights to do so, or have you tried physically moving one of those Macs to another lab or building?  This would help rule out something in the network or the actual OS X install on one of the problem Macs.
0
 

Author Comment

by:Roccat
ID: 41823383
Yeah, i tried that user account on a mac on my desk and it works fine.  Just seems to be this lab.
0
 
LVL 9

Accepted Solution

by:
Tim Lapin earned 250 total points
ID: 41823701
You mentioned that the macs in question are all Mavericks (10.9.5) machines.  Are the ones that are working fine also running Mavericks?

What happens if you swap two Macs (one from the problem lab and one from a working area)?  Does the problem follow the computer or stay within the lab?
0
 

Author Comment

by:Roccat
ID: 41826923
There are working mavericks machines .  I will try that when I have a chance to visit the site.
0
 

Author Closing Comment

by:Roccat
ID: 41826925
Thanks!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question