Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jiwald
jiwald Author
User level: Level 1
11 points

Password expiration not prompting

We have 50 macs included in an active directory environment. Of those 50 about half are mac pros and half are macbook pros. All running Lion.


Some are not making users aware of password expiration. Some are counting down 30 days. All have mobile accounts. I have tried to find a difference between 2 systems and there is none. All are on the same image, same patch level. I have tried deleting the keychain and preferences, repairing permissions, resetting pram, rebooting the computer,. I have also confirmed the password expiration works properly on windows machines. However sometimes if a user has changed their password on a pc (or if I do it manually in Active directory) the mac does not sync up with active directory. Then you have the old password to log into the mac, then once in it prompts again for server mounting (that would take the new password).


To add to this when some users try to change their password from the user menu they get the message The password for the account "account name" was not changed. Your system administrator may not allow you to change your password or there was some other problem with your password. Contact your system administrator for help.


I have tried to help these users change their password so I know they are meeting all password requirements and are typing in passwords correctly.


How can I troubleshoot these 2 issues further? Are there any logs anywhere I can look at?

MacBook Pro, Mac OS X (10.7.3)

Posted on Aug 13, 2012 11:51 AM

Reply
15 replies
User profile for user: bispymusic
bispymusic
User level: Level 2
270 points

Oct 15, 2012 6:06 PM in response to jiwald

I assumed as much. You are connecting to AD which is a Windows Server environment. Binding a Mac will allow for single sign-on authentication to network shares and for ease of a user having a single user/password combo. However, the Mac is not designed to understand AD policy, such as resetting password.


To allow for something like this to work as expected, you will need to extend your Active Directory Schema to support Mac. You can also look at a tool like JAMF Casper, AdmitMac, Likewise or Centrify to help in the process.


I have seen many companies have this issue with expiring passwords until they have their schema properly extended to support Macs.

Reply
User profile for user: jiwald
jiwald Author
User level: Level 1
11 points

Oct 17, 2012 9:11 AM in response to bispymusic

We used to use AdmitMAC back when we were using Tiger. We stopped when We upgraded to Snow Leopard.


I looked into Centrify before but my old boss thought it was overkill for 50 macs.


Is there any idea of what I can look for as to why SOME do actually countdown? Any kext, plist, or anything?


On another note I just ordered 10 macs and they will all come with Mountain Lion. What kind of headaches should I prepare myself for in testing those?

Reply
User profile for user: bispymusic
bispymusic
User level: Level 2
270 points

Oct 17, 2012 6:18 PM in response to jiwald

All I know is that it is weird and unstable, just as you describe, without proper schema extension. When I did Apple consulting, we had Apple Professional Services often sent out to client to assist in the schema extension process, and their issues were almost always resolved by whatever the team did. At the basest level, it's that the language AD speaks in is very different than what a Mac is expecting to hear. AD binding is basically designed solely for network authentication and single-sign on access to shares. GPOs and other policies are completely unrecognized by the Mac.


I don't see that Mountain Lion will be any different, but I think overall it's quite a nice upgrade. We are currently doing a proof of concept at work for binding our ML systems to the AD Domain. Fortunately, though, the company I work at doesn't currenlty have a password reset policy.


PS – If you are interested in the Professional Services offerings above, message me and I can send you contact information for some folks at Apple.

Reply
User profile for user: jiwald
jiwald Author
User level: Level 1
11 points

Oct 18, 2012 9:53 AM in response to bispymusic

I found this


http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CB8QFj AA&url=http%3A%2F%2Ftraining.apple.com%2Fpdf%2Fwp_integrating_active_directory.p df&ei=Si-AUJebDeOZyQGxh4GABg&usg=AFQjCNF5oBUSgl3hI5AyjtoZxcohJ6t9iA&cad=rja


Best Practices for Integrating OS X Lion with Active Directory



Passwords

Because OS X Lion uses Kerberos, it inherently supports Active Directory

password policies and enforces restrictions on the length and complexity

of passwords on client systems. Mac users can also change their passwords

using the User & Groups preference pane in OS X.

In the days leading up to password expiration, users are notified that their

password is about to expire. This gives them the opportunity to change

their password in Active Directory—which will reset the expiration timer—

using the Users & Groups preference pane on the Mac client. When the

password is within 24 hours of expiration, users can’t complete login until

they’ve changed their password.

When a Mac system is bound to Active Directory, it sets a computer

account password that’s then stored in the System keychain. This computer

account password is automatically changed by the client. The default is

every 14 days, but you can use the dsconfigad command-line tool to set

any interval that your policy requires.




Is it possible the AD expiration (every 60 days) is not in sync with this "every 14 days" I haven't played with dsconfigad.

Reply

Password expiration not prompting

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up