Jamf Nation Community

If you are changing a pw directly in AD vs some sort of account portal, take a look at Apple's Enterprise Connect to assist with AD passwords.

Thanks for the feedback guys. I didn't realize that if a computer was on and connected to the network that the new password would trickle down and update their computer automatically. I thought they had to initiate the change. That is good to know. Ill just make sure to mention that. Not many users have multiple computers, but for those that do, this would be a good solution.

Currently we use ADPassMon for our password changes and that has been working great. After listening to an Enterprise Connect webinar, it's basically a clone of ADPM with a new coat of paint, except they offer some training and support. And it was pretty $$$.

Hi @danshaw Yes, though every environment is unique, especially when talking about Active Directory and domain controllers, my experience has been that as long as communication back to the dc's are good, the change should be pushed back down to the Mac.
I see this whenever I need to change my password thru our password change portal. If I have Outlook open and connected, usually within about a minute, I'm being prompted by Outlook to enter my new password, since the old one it was using before is no longer valid.

Speaking of Outlook and saved passwords, I've seen issues where the keychain will sometimes generate a new entry and maintain the old invalid one, which gets into problems later since Outlook may not know which one to use when launching. In those cases, I do a search in Keychain Access for "Exchange" which brings them all up and delete the old ones. Or sometimes I quit Outlook, delete all Exchange entries and launch it again and enter my password, which creates a new clean one in Keychain Access.
I'm curious if anyone else has seen this behavior with the 2 or more entries (only one being valid)?

Hi @mm2270

With your approach do you encounter the the login keychain or FileVault passwords not being changed
on the Mac ? how are these being updated ?

@May No issues with FileVault (again, as long as all AD communication is good) When we do see FV2 passwords not getting synced, its primarily because of one of 2 reasons - 1) The Mac has lost its AD join (in those cases, the pw change is not pushed down to the Mac at all and for some reason the user is unaware of it), or 2) The Mac is still running 10.10.2. While very few machines are left on that OS, we saw a lot of FV2 password sync failures occurring on that version and one or two minor releases under. It all got better starting with 10.10.3/4 and up, and continues to work well.

As for the login keychain, yep. Who doesn't see issues with this? We encourage our users to reboot after changing their password in the portal and confirming its been updated on their Mac. This does 2 things. First, it verifies that FileVault has received the change and second, they will get prompted at login that their login password needs to be updated and can do that at that time. If they do this reboot soon after the password reset, the old password is still fresh in their minds. If they wait too long and forget what it was, we run into problems since the only fix is to delete the login keychain. In the case of FV2 not receiving it, we would need to help them unlock the Mac with an individual Recovery key and then work on getting it back in sync. So rebooting after the password change is extremely crucial to detecting any problems right away not being locked out of their Mac later.

@mm2270

I thought an environment without keychain issues had to be some kind of utopian dream !

We're instructing the users to change their passwords via ADPassMon on the Mac which really helps minimise any keychain issues, though they do still occur but a lot less frequently now, i may add instructions to restart after a password change to our How To doc, thanks for the info

We also instruct users to use ADPassMon but since we use 802.1x user authentication on our wireless they have to be wired when they do it. We frequently run into issues where a user has changed their password on a windows machine and then all hell breaks loose with their keychains.