Skip to main content

We are currently experiencing problems with AD users passwords on Macs bound to AD. The problem appears to be with policy conflicts between the Macs and PCs.
When a PC user logs onto a Mac for the first time they receive a message to change their passwords. These users are in a 180 day password rotation policy. They are not receiving the message when they log on to there PCs.
The message will follow their account to other Macs across campus.
The question is what policy are these users getting that's different from the one they get on a PC? How do we make them the same?



We manually bind the Macs to AD, and usually take the defaults except for laptops which we set up mobile accounts.

What OS? And what binding options are you selecting? And is this across both laptops and desktops?

Hi,



In AD, the password policies are stored on the server side so the Macs would be able to avoid them.



There can be issues if you are using 802.1x auth and the timing for the directory connection to kick in (not sure if thats part of your environment?).



So when a user logs in they get a message to change their passwords. Is this correct behaviour?



They are not receiving the message when they log on to a PC. Is this a fault with the PCs or are you not expecting the message to appear at all?



It sounds like the account is configured to require a new password at next logon and require a new password every 180 after that. If this is the case, you'll be prompted to setup a new password at first logon to a Mac or a PC, then no more for 180 days.

Is your AD using fine-grained password policies (FGPP) to enforce maxPwdAge? FGPP is not honoured by OS X, and a domain default password policy is enforced on Macs.

Reply


Terms & ConditionsCookie settings