Skip to main content
Question

AD password not changed from Sys Prefs > Users & Groups

  • May 29, 2014
  • 3 replies
  • 12 views
J
Forum|alt.badge.img+12

I have no idea if this is a global issue, or we are the only environment experiencing this.

We get this message everytime a user want to change their AD password. Basically an error message saying the requirements for the password were not met.

Of course, it's not true at all. I can use the same password on our webpage AD portal that can change passwords.

At this point this is the only way users can change passwords, except calling the service desk

With the release of 10.9.3, this actually worked, and I thought Apple had fixed something. But, with more testing even on 10.9.3, the same message pops up. Looks like a possible bug with Apple's AD plugin.

Aside from this, Apple's AD plugin / binding is working just fine. AD logins occur pretty quickly (10 seconds or so), users who are in the AD group (local "macadmin") get admin rights.

thx,

john

    3 replies

    P
    Forum|alt.badge.img+14
    • perrycj
    • Valued Contributor
    • May 29, 2014

    When I've seen this in my AD environment, it usually means their connection to AD has become out of sync. Most of the time, un-binding and then re-binding through directory utility fixes the issue with no problem.

    P
    Forum|alt.badge.img+7
    • pickerin
    • Contributor
    • May 29, 2014

    This definitely means the unit is no longer talking to Active Directory. We have systems on our Domain experience this on a somewhat regular basis. So much, that I've written an Extension Script to find these systems when they are in this state:

    #!/bin/bash

domain="LOGIN-DOMAIN"
user="saMAccountName"

# Can we query a UPN?
domainAns=`dscl /Active Directory/${domain}/All Domains -read /Users/${user} dsAttrTypeNative:userPrincipalName`
if [[ $domainAns =~ "is not valid" ]]; then
    result="Invalid"
else
        result="Valid"
fi

echo "<result>$result</result>"

    saMAccountName is just any valid AD user. You're just making a query to your AD.

    scottb
    Forum|alt.badge.img+18
    • scottb
    • Valued Contributor
    • May 29, 2014

    Same as @perrycj][/url. We see a Mac get put into an archive OU or are in disabled status in AD.
    rebinding (we usually delete the object first) seems to help.

    @pickerin: thanks for that!

    Terms & ConditionsCookie settingsAccessibility statement