AD password change issue (when expired)

Contributor III

Hi everybody,

We have about 1300 macs with AD integration and have a 90 days expiration policy.

If the user is waiting for the last day to change his password, the prompt to change the password is displayed, but when they enter/confirm a new password, the box "shakes", indicating something was off.
Impossible to the reset password and impossible to log on (even with old password).

On the other hand, if we click on "Other" to create again the same profile who has the problem, it finally works.

In addition, if the user doesn't log off the Mac and the screen locks when the password expires, they can't unlock the computer too with their old password that had expired, and it doesn't prompt to change the password.
No way to reset password.

The problem is systematic, whether in 10.11, 10.12, 10.13 or 10.14.
Our users are always waiting for the last day to change their password, despite notifications and alerts.
This generates a large number of calls to our IT support.

Please, do you know if a solution exists (without using a third-party application, if possible)...

Thank you for your help..


Valued Contributor

You could modify the script I made to warn users of a local account password expiration. Make a policy and change line 31 to ignore local accounts, instead of ignoring network users. Example:

if [[ $getUID -lt 1000 ]]; then
echo "Account is a local user, stopping expiration check."
  exit 1

Or... use Nomad to warn users of impeding pw expirations. You can still have bound AD accounts with Nomad if your org is averse to switching to local users.

Valued Contributor

I just noticed you mentioned there are existing alerts, not sure if that's just at the login screen or another method. In the long run, if this is a huge issue for your team, then it starts to become an HR/people issue esp. if there are repeat offenders. You would have to explore consequences for the users, like keeping them locked out if that's what their manager or director agrees to. Then in the future users would be more inclined to reset their pw on a timely basis.

Contributor III

Thank you for your answer. We've been trying for years to make people aware of changing their password before the expiration date but without success.

Never mind.

Thank you for your help.