Active Directory-Apple ID password lockout
In my office we have three Macbooks bound to Active Directory domain and all three machines experience the same problem. On all three machines we use different local Admin, Mobile AD Managed User accounts. Accounts use private Apple IDs on Itunes and App store. All three accounts experienced what seemed to be random AD account lockouts.
We've managed to somewhat narrow it down through troubleshooting to an issue with Apple ID and/or Keychain.
Users have, in the beginning, created their Apple IDs with their business e-mails and when they logged in their Apple IDs on App store they get locked out of AD almost immediately.
After they changed their Apple IDs to their private emails, they got locked out of AD every time they tried to authenticate themselves more than 5 times on App Store (or anywhere else some app requires Apple ID). Even though their IDs have absolutely nothing in common with their AD account Usernames and Passwords. Somehow Apple ID or Keychain tries to authenticate itself on AD. Every time you enter wrong or correct Password it raises the "badpwdcount" counter by 1. If you try to authenticate five or more times it causes it to lock the user from AD because of the "5 wrong passwords GPO" in AD.
Even if the user enters a valid Password, it still raises the counter by 1. If the User authenticates Apple ID with his business e-mail the lockout is immediate which would mean the Apple ID forces itself on AD in rapid succession or does something to it which causes it to lock the user for using AD e-mail and pass. Doesn't even matter if the pass is the same on AD and Apple ID.
Can you suggest which logs should we check in AD to possibly find the reason since the logs we checked have no information. Even the attribute that should display machine name from which the lockout was made holds no information.
We know when the lockouts occur and we manage to avoid them but we would like to know why they occur. Why does Apple ID or possibly Keychain have anything to do with authenticating on AD.
We have researched this issue extensively on the Interwebs and have found no information we could relate to. The only similar posts here on Communities are from way back in 2007 and the lockout issues revolve around some old passwords stored on IPad and such. None of that info relates to our AD lockout problems.
We even did some heavy troubleshooting with Certificates but to no avail.
Anyone else have the same or similar problems?
MacBook Air, OS X El Capitan (10.11.6)