Solved

Macs not logging in if "user must change password at next login" is checked in their ad account

Posted on 2016-09-26
11
135 Views
Last Modified: 2016-10-03
We use active directory and the macs at one of the schools seem to have an issue logging in if the user has "user must change password at next logon" checked off.  If I uncheck it they can login just fine but if they are required to change their password it does not login. Any idea what might be causing this?
0
Comment
Question by:Roccat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 9

Assisted Solution

by:Tim Lapin
Tim Lapin earned 250 total points
ID: 41816102
Which versions of Mac OS  and AD are you running?  Have they been patched to most recent levels for their respective versions?

One option:  OWA
Do you have an exchange server with OWA (Outlook Web Access) enabled as well?  Is it set to use the domain password for mail?  If so, try having one one of the Mac users log in via OWA and change the password that way.  I have read some stuff that indicates it might work for you.

Other people use a product called Centrify.  I have no experience with it but I mention it in case it might help you.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816133
Are the Macs joined to the domain?
0
 

Author Comment

by:Roccat
ID: 41816152
The macs are joined to the domain. We have a few thousand. They all seem to work fine except this lab it seems.   We don't use outlook web access.  I have heard of centrify but we have not needed it in the past because things usually work fine.  I believe things are updated fully.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Roccat
ID: 41816156
The macs in question are 10.9.5  The domain functional level is still at 2003.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41816190
Have you compared the AD binding settings between one that works and one in the lab to see if there are any differences that might account for this behavior?
0
 

Author Comment

by:Roccat
ID: 41816195
Yeah. I have compared. Rebinded multiple times.  Settings look to be the same.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 250 total points
ID: 41823372
Have you tried having one of those users log onto a Mac somewhere else; assuming they have rights to do so, or have you tried physically moving one of those Macs to another lab or building?  This would help rule out something in the network or the actual OS X install on one of the problem Macs.
0
 

Author Comment

by:Roccat
ID: 41823383
Yeah, i tried that user account on a mac on my desk and it works fine.  Just seems to be this lab.
0
 
LVL 9

Accepted Solution

by:
Tim Lapin earned 250 total points
ID: 41823701
You mentioned that the macs in question are all Mavericks (10.9.5) machines.  Are the ones that are working fine also running Mavericks?

What happens if you swap two Macs (one from the problem lab and one from a working area)?  Does the problem follow the computer or stay within the lab?
0
 

Author Comment

by:Roccat
ID: 41826923
There are working mavericks machines .  I will try that when I have a chance to visit the site.
0
 

Author Closing Comment

by:Roccat
ID: 41826925
Thanks!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question