Posted on 07-13-2016 07:08 AM
Does anyone know what the best plan of action to take is when a user has multiple mac computers and a password change is needed?
We require our users to change passwords every 60 days. User accounts are bound to AD and are mobile accounts.
Obviously the user will need to change their password on one of the computers, but then what is the best way to sync up that 2nd computer with that same password?
We also do not allow users to change their password to something that has been used before.
Posted on 07-13-2016 07:41 AM
We use an internal password change site for users to update their AD password. This site has the advantage of making sure all DCs in the organization get the password update for their account immediately. The danger we've seen in allowing users to change their password on their Mac under their cached AD mobile account is that, while the change is fed to the one DC their Mac is communicating with, it may take a while to replicate out to the remaining domain controllers.
Unfortunately, even with this site, it doesn't help much in the case of someone with multiple Macs. The only effective way to make sure this happens correctly is to have them connect each Mac to the network (wired or wireless) either at the time the change is made, or shortly after so the change can be fed back down to their Mac. As long as the Mac is joined and communicating with AD, it will get pushed down to their account.
Wish I had a better answer, but unfortunately, its going to be a requirement for them to crack open each machine and make sure its on your network to get the change sent back down. I would strongly discourage users from trying to do the password change in Users & Groups on each machine, though I doubt you were leaning in that direction. They could fat finger their password on one or more of their Macs and get things all out of whack. Let the domain controllers do their job in informing joined systems of the password change to the account.
Just my 2¢
Posted on 07-13-2016 08:00 AM
If you are changing a pw directly in AD vs some sort of account portal, take a look at Apple's Enterprise Connect to assist with AD passwords.
Posted on 07-13-2016 09:01 AM
Thanks for the feedback guys. I didn't realize that if a computer was on and connected to the network that the new password would trickle down and update their computer automatically. I thought they had to initiate the change. That is good to know. Ill just make sure to mention that. Not many users have multiple computers, but for those that do, this would be a good solution.
Currently we use ADPassMon for our password changes and that has been working great. After listening to an Enterprise Connect webinar, it's basically a clone of ADPM with a new coat of paint, except they offer some training and support. And it was pretty $$$.
Posted on 07-13-2016 09:23 AM
Hi @danshaw Yes, though every environment is unique, especially when talking about Active Directory and domain controllers, my experience has been that as long as communication back to the dc's are good, the change should be pushed back down to the Mac.
I see this whenever I need to change my password thru our password change portal. If I have Outlook open and connected, usually within about a minute, I'm being prompted by Outlook to enter my new password, since the old one it was using before is no longer valid.
Speaking of Outlook and saved passwords, I've seen issues where the keychain will sometimes generate a new entry and maintain the old invalid one, which gets into problems later since Outlook may not know which one to use when launching. In those cases, I do a search in Keychain Access for "Exchange" which brings them all up and delete the old ones. Or sometimes I quit Outlook, delete all Exchange entries and launch it again and enter my password, which creates a new clean one in Keychain Access.
I'm curious if anyone else has seen this behavior with the 2 or more entries (only one being valid)?
Posted on 07-13-2016 09:37 AM
Hi @mm2270
With your approach do you encounter the the login keychain or FileVault passwords not being changed
on the Mac ? how are these being updated ?
Posted on 07-13-2016 09:53 AM
@May No issues with FileVault (again, as long as all AD communication is good) When we do see FV2 passwords not getting synced, its primarily because of one of 2 reasons - 1) The Mac has lost its AD join (in those cases, the pw change is not pushed down to the Mac at all and for some reason the user is unaware of it), or 2) The Mac is still running 10.10.2. While very few machines are left on that OS, we saw a lot of FV2 password sync failures occurring on that version and one or two minor releases under. It all got better starting with 10.10.3/4 and up, and continues to work well.
As for the login keychain, yep. Who doesn't see issues with this? We encourage our users to reboot after changing their password in the portal and confirming its been updated on their Mac. This does 2 things. First, it verifies that FileVault has received the change and second, they will get prompted at login that their login password needs to be updated and can do that at that time. If they do this reboot soon after the password reset, the old password is still fresh in their minds. If they wait too long and forget what it was, we run into problems since the only fix is to delete the login keychain. In the case of FV2 not receiving it, we would need to help them unlock the Mac with an individual Recovery key and then work on getting it back in sync. So rebooting after the password change is extremely crucial to detecting any problems right away not being locked out of their Mac later.
Posted on 07-13-2016 10:11 AM
I thought an environment without keychain issues had to be some kind of utopian dream !
We're instructing the users to change their passwords via ADPassMon on the Mac which really helps minimise any keychain issues, though they do still occur but a lot less frequently now, i may add instructions to restart after a password change to our How To doc, thanks for the info
Posted on 07-13-2016 11:17 AM
We also instruct users to use ADPassMon but since we use 802.1x user authentication on our wireless they have to be wired when they do it. We frequently run into issues where a user has changed their password on a windows machine and then all hell breaks loose with their keychains.