AD Bound Macbooks Prompting Password Change

edullum
Contributor

Howdy,

We are having an issue with our Macbooks on High Sierra that are bound to AD with a box that pops up when the user tries to log in:
Password Expiration: Your password will expire in 29 days....

Is this because we have "Create Mobile Accounts" selected in our Directory Binding? Our user password policy is set to expire passwords every 180 days. Most of our users who were enrolling their macs reset their passwords within the last few days. Also included in the password policy is that the user cannot change their password within 30 days of changing it. This 29 days doesn't make any sense. Which leads me to believe it is a mac issue and not because the machine is bound to AD.

Environment: Jamf Pro v10.6

Enrollment Setup:
I have a daisy chain of enrollment policies that go out during enrollment. Here is the summary:
1) Sync Apple Time Server: ntpdate -u time.apple.com
2) Script changing the name of the mac to the serial number
3) Bind to AD with the Directory Binding a) Create Mobile account at login = enabled b) Force local home directory = enabled c) Use UNC path = enabled d) Allow Administration by = Support Staff
3a) Execute Command = dsconfigad -group "Support Staff, teachers, administrators"
4) Set Password Expiration a) Execute Command = defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays -int 179
I added this to the enrollment policies, because the mac prompted the users to immediately change their password, even though they weren't do for a password change. When the user changed their password, AD reflected the change and set the password to expire in 179 days

Any help would be appreciated. This is the first year we are doing this and frankly, I'm out of time for testing because teachers are now here enrolling their macs.

As a side note. We had this issue since May of 2018 on non-DEP macbooks that were bound to AD. Our network guy would just send the command in terminal that I have in step 4-a. Those mac users were not prompted to change their password again.

Is it possible that I need to send that command to the mac once the mobile account is created? I'm grabbing at straws now...

1 ACCEPTED SOLUTION

edullum
Contributor

I figured it out today. The issue resided within the OU that the mac computers are in. There were no group policies scoped to the OU. Once my network specialist scoped inherited policies to the OU, the macs stopped prompting users to change their password within 29 days.

View solution in original post

4 REPLIES 4

bvrooman
Valued Contributor

The PasswordExpirationDays preference key doesn't determine how long the password is valid before it expires; that is configured on your domain controllers, and the Mac has no control over it. What it's actually saying is "how long before expiration should I tell users that their password is going to expire?"

We have a fairly-robust set of services for users to get their passwords changed or reset without needing to log into their Macs, so a while ago we lowered that setting from 14 days to 7 days. The passwords are still good for 60 days (because that's Active Directory's job, not the Mac's), it just doesn't bother our users until it's a week away from expiration.

edullum
Contributor

Thank you for the clarification of that command. I don't have a fairly-robust set of services and therefore have to utilize the resources I have.

edullum
Contributor

I've done further research on this and according to an Apple article: https://support.apple.com/kb/PH26308?locale=en_US&viewlocale=en_US
macOS queries Active Directory to determine the length of time before a password change is required. However, it is returning a number that is completely unrelated to our password policies we have set in AD. For example, according to AD the users account password doesn't expire for 152 days, but the OS is prompting the user to change their password in 29 days. Our password policy is that the password expires every 180 days and the user can't change their password within 30 days of changing it. Where is the OS getting the 29 days? What part of AD is the OS querying?

edullum
Contributor

I figured it out today. The issue resided within the OU that the mac computers are in. There were no group policies scoped to the OU. Once my network specialist scoped inherited policies to the OU, the macs stopped prompting users to change their password within 29 days.