Can't change password on Mac (AD)

mike_pinto
New Contributor III

Has anyone experienced any issues resetting (AD) passwords on a Mac? In AD I select an account and set, “User must change password at next login”, I attempt to login as that user and am prompted to change the password, but all password entered are rejected with: Your password does not meet the requirements of the server.”

The password policy is set to 8 characters and that’s it. This same user will have no issue resetting in Windows. I will also receive the same error when attempting to reset from Users & Groups in System Preferences.

I have seen this many times in the past so I don’t believe it to be strictly related to Mavericks, Yosemite or in this test case, Sierra. What’s strange is that some users will reset just fine. It would be great if I could resolve this as all of our student passwords are reset come deployment, requiring them to change it when they’re picked up. When we run into this problem we usually just change it in AD manually for them.

20 REPLIES 20

emily
Valued Contributor III
Valued Contributor III

The times I've seen that I've re-bound the Mac to AD and that fixed it.

mike_pinto
New Contributor III

@emily Thanks, however the computer I'm testing and having an issue with was freshly imaged/joined. I did attempt to re-join it to the domain, but the issue persists.

emily
Valued Contributor III
Valued Contributor III

Is the account expired? Have you tried changing the password too many times within the directory's allowed window? Sometimes if you change it too much you have to wait an hour (or more, sometimes 24 hours) to change it again.

rwinfie
Contributor

what do you get from the command kpasswd in terminal ?

mike_pinto
New Contributor III

@emily The account is not expired and there is no minimum password age (assuming that's what you're referring to). I will test it again later to confirm though, thanks.

@rwinfie I get, "Soft error : "

rwinfie
Contributor

ok , two more test i would run , is the command id with a know good account and dsconfigad -show , this seems to be a bad AD connection currently ( which you already knew ) but these two commands will show if it is at least talking to the domain properly.

andrew_abraham
New Contributor II

Are you using a configuration profile with a passcode payload alongside an AD bound Mac with mobile accounts?

alexjdale
Valued Contributor III

We have a 3-day password change cooldown in AD. If the password has been changed by any source (the user themselves or an admin user with ADUC, for example) then the user cannot change it again themselves for 3 days. It gives the same error message about not meeting requirements.

It's probably not this if users are able to change it in Windows.

agurley
New Contributor II

I saw this a few weeks ago but it was only after someone's password had expired, so I guess this isn't particularly helpful. After unbinding and rebinding to AD, we got the reset password prompt, but then got the same message you mentioned. I had to go into AD and reset his password, and check the box "user must change password at next login." He was then able to reset his password. I know this doesn't explain anything, but wanted to put it out there.

mike_pinto
New Contributor III

@rwinfie These return as expected; connectivity with AD is functional.

@andrew.abraham We are using mobile accounts, but no passcode payload.

I modified the local computer policy on the DC and that appears to have fixed this test client. I'm not sure why it worked within Windows? Maybe the windows machine was hitting a different DC? Looks like I have a bit more testing to do.

Thanks everyone, I appreciate it.

arnokenis
New Contributor III

We face similar issues. Our users must choose new passwords every 30days. Complexity defined on AD is 6-8 characters and at least one number, no special characters (our mainframe doesn't like those).

Every now and then users get the message on mac their password does not meet complexity. But it does.
And on AD the password gets changed. User must then reboot the mac in order to logon to the account (sometimes with keychain issues as a consequence).

scharest
New Contributor II

We had this issue too. The fix we found to work was verifying that Mac's time is the same as the Domain Controller. If the time is off by more than five minutes, it wouldn't let you change your password. Go into System Preferences > Date & Time and fix the time.

mslaughter
New Contributor

We found that when reseting the Mac users passwords, you can't check the "Change Password at First Login" box. Makes password resets for them less security compliant but we found no way to navigate that check box.

sdagley
Esteemed Contributor II

@mslaughter If your configuration profile is set to use Directory Authentication rather than being set as a Login Window configuration (so the Mac's credentials are used to authenticate rather than the user's credentials), you can require users to change their password on first login.

regexaurus
New Contributor II

Password changes for AD users on MacOS (AD-bound Macs) are anything but trouble-free, in my experience. Wireless-only/mostly Macs and FileVault encryption add to the complexity. As far as I know, MacOS supports either machine OR user authentication, but does not support machine authentication with user "re-authentication" (upon user login). See https://goo.gl/95gd5g. I think this adds to the potential for password change problems in an AD environment.
Let's say the AD password expires for a Mac user (mobile account; allows sign on when working "offline"/remotely) with no wired connection. Let's also assume their wireless config is setup manually in their user profile, or by user-targeted profile (e.g. via Profile Manager). With no network connection, they can sign on MacOS using their old/expired AD credentials. When they connect to wireless / authenticate to the network, they are informed their password has expired and prompted to change it. In this scenario, the AD password generally updates successfully, assuming the new password meets any enforced requirements. So you sign off or shutdown and next time you boot/sign on your Mac, it won't accept the new password. What happened? Your AD password was updated successfully, but in the presented scenario, the credentials cached in your user profile on the Mac were not updated. With no network connection before sign on, you're authenticating against the cached credentials, not against AD. To correct this:
1. Sign on with the old password (preferably, do this before signing off or shutting down, after an AD password change).
2. Connect to your wireless network--it's important your Mac can reach an AD domain controller at this point.
3. Open Terminal from Applications > Utilities.
4. At the prompt, enter su -l username (where username is your AD username). You will be prompted to enter your password.
5. Enter your new/current AD password. Assuming a domain controller is reachable, your password will be accepted, and your cached credentials updated.
Terminal will offer little feedback upon success. You should see no error indicating an incorrect password, and a new/second prompt in the Terminal window. Quit Terminal. If you sign off (or shutdown/restart) now, you can sign on your Mac with your current AD password. When you next sign on, you should see a prompt indicating your Login Keychain password doesn't match your account password, and will be prompted for the Login Keychain password, to update the Login Keychain password. Enter your old/previous AD password. At this point, your AD password, cached credentials in your profile and Login Keychain password should match.
Add FileVault encryption to the mix, and you have yet another layer where credentials may be out of sync, so you may need to enter an old password when you first power on your Mac, then enter a different password at a "proper" MacOS login screen. My understanding is that booting your Mac with a network connection (reachable AD domain controller; borrow/steal a colleagues USB/thunderbolt wired network adapter, or convince your admin to deploy system-targeted profile with machine authentication for wireless?) and entering your current AD password, will update the credentials for FileVault.

On top of all this, even "normal" password expiration/change scenarios (wired connections) have been troubled, for us. The problem(s) may be with our environment. For example, a user with expired AD password comes to the office and docks his Mac (dock provides wired connectivity). When the user attempts to sign on, they're informed their password has expired and prompted for a new password. When they enter/confirm a new password, the box "shakes", indicating something was off. I (admin) even tried changing it, to make sure password requirements are met. Same result. Rebooting seems to resolve the problem sometimes.

For what it's worth and hopefully it helps someone.

avielc
New Contributor

@arnokenis, @regexaurus ,
Have you guys managed to resolve this entirely?
These issues keep repeating themselves, and I'd love to hear what solutions you've found for the issue - systemwide If you have any kind of solution that I could look into and use, that would be really helpful for me.
my simplest solution is change the password once when asked by the expired procedure during login (you will get the complexity error)
just click cancel ( as mentioned AD actually accepted the password change) login again with the new password, and you'll get in (of course there will be the issue with keychain - couldn't figure that one out, as my users keep getting many pop ups of the what seems to be the same keychain..)

So, any help would be appreciated, thanks everyone!

avielc
New Contributor

Hi all, reviving this post again as it is a major issue for me too. @regexaurus @arnokenis - have you found any stable valid fix for this?
regarding the Mac not accepting password change when having an expired password moment, we named it "the mac dance"
1. You enter your current password and reach the change password window (usually computer is on standby, so passed the file vault authentication, and connected wirelessly to the network where the domain is reachable. )
2. in the change password window type the old and new passwords as usual
3. you will get the screen shake of something wrong, just ignore it and click cancel to go back to choosing to login with whatever user is available.
4. give it like a few seconds (at least in our environment) and choose your user again and enter the new password,

It'll let you login, but will get that annoying keychain issue... is there a way to correct it? or bypass that issue?
Thanks!

Edit
Sorry for double post - mistook the moderation process as message not sent. Leaving both on should there be extra info on one of them

regexaurus
New Contributor II

@avielc I'm exploring NoMAD. Looks like it might clean up many of the problems we've experienced.

stutz
Contributor

I'm sure this isn't the case with everyone else but wanted to throw this in just in case someone is having a related issue with this error message as it had nothing to do with a password requirement (letters, numbers, etc...). The problem could be because your AD environment is set to not allow users to change their password after X number of days. Check the "Minimum password age" in Group Policy.

When you try to use "kpasswd" in Terminal we got the message "Soft error :".

This error kept appearing for us after a user changes their password and then tries to change it again in System Preferences > Users & Groups. eb3ffceb4f1a4270a161d220328f9fca

Come to find out we have the "Minimum password age" set in Group Policy. We waited the minimum days and the password change went through successfully.

computingchap
New Contributor

I'm looking through all these comments and wonder if you have come across this. At the reset password screen, you type in an acceptable password twice. Then either

* press tab 3 times to select the 'Reset Password' button and then press SPACE - OK
* Click the 'Reset Password' button with the mouse - OK.
* press tab 3 times to select the 'Reset Password' button and then press ENTER - NOT OK --- The screen shakes and takes you back to the reset password screen, complaining that your password did not meet the security requirements.