Help

AD password not changed from Sys Prefs > Users & Groups

johnklimeck
Contributor II

Posted on ‎05-29-2014 11:15 AM

I have no idea if this is a global issue, or we are the only environment experiencing this.

We get this message everytime a user want to change their AD password. Basically an error message saying the requirements for the password were not met.

Of course, it's not true at all. I can use the same password on our webpage AD portal that can change passwords.

At this point this is the only way users can change passwords, except calling the service desk

With the release of 10.9.3, this actually worked, and I thought Apple had fixed something. But, with more testing even on 10.9.3, the same message pops up. Looks like a possible bug with Apple's AD plugin.

Aside from this, Apple's AD plugin / binding is working just fine. AD logins occur pretty quickly (10 seconds or so), users who are in the AD group (local "macadmin") get admin rights.

thx,

john

0 Kudos
3 REPLIES 3

perrycj
Contributor III

Posted on ‎05-29-2014 12:05 PM

When I've seen this in my AD environment, it usually means their connection to AD has become out of sync. Most of the time, un-binding and then re-binding through directory utility fixes the issue with no problem.

0 Kudos

pickerin
Contributor II

Posted on ‎05-29-2014 12:21 PM

This definitely means the unit is no longer talking to Active Directory. We have systems on our Domain experience this on a somewhat regular basis. So much, that I've written an Extension Script to find these systems when they are in this state:

#!/bin/bash

domain="LOGIN-DOMAIN"
user="saMAccountName"

# Can we query a UPN?
domainAns=`dscl /Active Directory/${domain}/All Domains -read /Users/${user} dsAttrTypeNative:userPrincipalName`
if [[ $domainAns =~ "is not valid" ]]; then
    result="Invalid"
else
        result="Valid"
fi

echo "<result>$result</result>"

saMAccountName is just any valid AD user. You're just making a query to your AD.

0 Kudos

scottb
Honored Contributor

Posted on ‎05-29-2014 12:22 PM

Same as @perrycj][/url. We see a Mac get put into an archive OU or are in disabled status in AD.
rebinding (we usually delete the object first) seems to help.

@pickerin: thanks for that!

0 Kudos