aaronfromhalifax

Q: Active Directory & Keychain Password Sync

We've been introducing some Macs into our Active Directory environment and I'm a little confused about how best to handle the local Keychain password.  We're joining systems to the domain so that users can use their network password to login to their Macs (accounts are setup as Admin, Managed, Mobile) and so far that is working great.

 

It's my understanding that the password on the default login keychain is set automatically when the user account is created, so it would match the password the user first used to login to the Mac.  However, we have a password expiration policy here, so users are changing their passwords at least every 3 months. As I understand it, by default the login keychain password is static, so I'm concerned that users are going to either forget the keychain password, or assume it is the same as their network password, and be unable to unlock the keychain should they even be prompted.

 

I've tried enabling the "synchronize login keychain password with account" setting in Keychain Access, but this causes another issue.  When the user changes their network password, the next time they login to the Mac they receive a Keychain prompt asking them to enter their old keychain password in order to keep the keychain pass in sync.

 

Is there any way to keep the keychain password synchronized to a user's AD account password without prompting them at all?  Or is their an accepted "best practice" regarding the keychain in active directory?

 

Thanks

Mac OS X (10.7)

Posted on Mar 22, 2012 7:32 AM

Close

Q: Active Directory & Keychain Password Sync

  • All replies
  • Helpful answers

  • by Gordon Kaplan,

    Gordon Kaplan Gordon Kaplan May 20, 2016 8:37 AM in response to aaronfromhalifax
    Level 2 (279 points)
    May 20, 2016 8:37 AM in response to aaronfromhalifax

    I realize this is a very old posting and my feedback may also be antiquated. In a similar enterprise environment in Redmond, WA we simply instructed users to change the keychain password WHEN changing the AD pass - or we did it for/with them either in person or remotely. Yes it's yet another thing to do but it diminished the pain significantly. There is some talk that a pre-emptive password change in the Apple Sys Prefs pushes the new pass across to the Keychain interface. I've not personally done this so I can't testify to it. But it does make logical sense.