NoMAD Login not syncing passwords after AD password change

jbanks
New Contributor III

We use an IDM controller that forces Active Directory changes every 6 months. I have been testing NoMAD Login to see if it is a viable option on campus, but after changing my password through my IDM (and AD), I can no longer sign into my MacBook Pro using my newly updated AD credentials.

Have I missed something????

15 REPLIES 15

nstrauss
Contributor II

What you're experiencing is correct. NoMAD Login in its current design does not handle password changes. Think of NoMAD and NoMAD Login as companion products. Login creates local accounts with AD credentials, NoMAD then handles account updates including password changes.

NoMAD Login is not aware your password changed off Mac, only NoMAD is. The next time a user logs into NoMAD it should notice a password mismatch and prompt to sync them. In my case I'm only using NoMAD Login as a provisioning tool in 1:1 single user deployments. Labs can be trickier, but still work depending on your needs.

jbanks
New Contributor III

That makes sense! I installed both, but couldn't for the life of me figure out what I would use NoMAD for (and in all honesty, I was throwing this together as fast as possible!). I'll see if that works for me!

Is there a way to have NoMAD run at user logon to check for changes to AD?

nstrauss
Contributor II

@jbanks Take a look at UPCAlert pref - https://nomad.menu/help/preferences-and-what-they-do/. User will have to be logged into NoMAD to know if passwords are different. Password mismatch should be checked on a regular basis.

benshawuk
New Contributor III

What is the point in NoMAD login, if the Apple AD plugin already handles this better?

mike_pinto
New Contributor III

@benshawuk We no longer bind, so we rely on NoLoAD to create the account.

nstrauss
Contributor II

@benshawuk The entire point is the AD plugin in fact does not handle this better. Plenty of people can attest to the fantastic ways mobile accounts break at every major release. Apple prefers local accounts whenever possible. NoMAD and Login are another way to move closer to more easily managing local accounts while still referring back to a central directory like AD.

benshawuk
New Contributor III

But when the AD password changes, the local password doesn't update..
What if a user forgets their password at the login screen? With AD bound Macs they can successfully log in (login keychain issues aside).
How would this work with a NoMAD login window?

sam_g
Contributor
Contributor

@benshawuk currently, with NoMAD login they would login with their old password and NoMAD would then detect after a login that their password is different from their network password. So basically, at this time, you need to configure both NoMAD products separately. They work well and seamlessly together, but having just one in place is 50% of the solution.

At some future date, NoMAD login will have an option to check at login if the password that a user is logging in with is their current network password.

steve_summers
Contributor III

So, my org has been dealing with this NoMAD-will-not-synch-the-passwords issue for some time, even though I have it set to do so. As 2019 started, we saw a big uptick in customers whose passwords were not being synched when changed and I had to dig into NoMAD and see what the heck was happening. Here is what I found and what we decided to do about it:
-Basically, customers were letting their password completely expire (gasp!) and then call in while remote to get assistance with changing it
-Since the customer was remote in this scenario, the support agent changed their AD password to a temp one and got them on the VPN, then walk them through the steps in NoMAD to change it. It had a low "synch-success" rate, without knowing why.

One thing we discovered was that if the Mac was rebooted before the process was started, even assigning a temp password outside of NoMAD, the synch would occur. Plus, and this was a big one; the Mac would synch completely if the machine in question was on a wired ethernet connection vs. a wireless. Since making sure these two conditions are followed before the change password process is started, we've seen NoMAD synch the two passwords as it should. Maybe those tips will help you.

benshawuk
New Contributor III

@float0n What if the user forgets their password?
I honestly fail to see how this is any better than the Apple AD plugin. In fact, less functional.

nstrauss
Contributor II

@benshawuk Do you have people forgetting their passwords on a regular basis? As in, the password they type in multiple times a day? I know it does happen to use once in a while, but not that often. In that case all you need to do is reset their local password and create a new keychain on next login.

spraguga
Contributor

@nstrauss For 1:1 provisioning, does this work for a new user whose AD account is set for the password to be changed at next login?

Judah_V
New Contributor II

For anyone still looking for Nomad login to manage the password changes. There is a slack channel that currently has an alpha version of Nomad Login that will help keep the user password in sync. #nolo-localsyncbeta

PE2000
Contributor

Hi

After password change user can not log in at all using old password and new password.

Any ides???

Thanks

UoYJames
New Contributor

@PE2000 did you figure this out? Having a similar issue after domain password change.