Skip to main content
Question

Cannot login after AD password change

  • September 1, 2016
  • 4 replies
  • 30 views
C
Forum|alt.badge.img+5

I've had this happen on 2 different Macs, both running the latest version of 10.11. Every time a user is required to change their password they cannot login and I end up having to reimage the Mac to make it work. I'm not sure what is going on to make this happen. After a password change, they cannot use either their old password, nor their newly created one.

Also, I remember when OS X would let you know when your AD password was going to expire and now it doesn't and users cannot use a Mac to change their password. Did something change in 10.11 to break this?

    4 replies

    N
    Forum|alt.badge.img+6
    • nigelg
    • Contributor
    • September 1, 2016

    I haven't heard of that issue. Have you tried removing the users account rather than reimaging? We use Mobile Managed accounts with local homes authenticating with AD and I can remove an account using the jamf binary with this command :-

    jamf deleteAccount -username <username> -deleteHomeDirectory

    I know its possible to do the same with dscl but I know the jamf binary command will clean up a user account quite well with the minimum of fuss. That command will delete the Home Directory so beware of that but a reimage will do the same. Might get you up and running or let you do some troubleshooting a bit quicker than having to reimage after every attempt.

    S
    Forum|alt.badge.img+5
    • scentsy
    • Contributor
    • September 1, 2016

    @cscsit I have notice a similar issue:

    We recently upgraded to 9.93 from 9.91; also we had 2 users that changed their password and after troubleshooting it for a while I end up un-enrolling/removing/unbinding and re-enrolling the macs.
    and that did the trick. After re-enrolling the users are able to change the password in a mac without any problems.
    this is what I do to remove "casper" from a mac:
    sudo su (type your password)
    dsconfigad -remove -force -u "here is the service account with AD privileges" -p "type the AD password here" (hit enter)
    killall jamf (hit enter)
    jamf removeframework (hit enter) (and reboot)

    Once the framework is removed (Self Service won’t be in /Applications), reboot the computer

    Remove the computer account from the JSS Inventory

    Search Active Directory to make sure the computer is gone...delete the object if it's still there

    After the reboot, make sure Self Service is un-installed and that the computer is not joined to the domain. After that, you can enroll!

    hope that helps.

    R
    Forum|alt.badge.img+7
    • rlincoln
    • Contributor
    • September 1, 2016

    How are they changing they password? using users & groups or an third party? If you use a third party it could be keychain causing issues...and if the machines are using FileVault it could be causing an issue as well.

    If it is related to keychain login as the admin that will unlock the disk for the use fast user switching to have the user login. Then fix there keychain and reboot. User should be able to login without issue.

    plagued my previous company.

    S
    Forum|alt.badge.img+1
    • scharest
    • New Contributor
    • May 5, 2017

    Do you use an NPS server to set time and date on your machines? We do, and we found that if the clock was off by more than five minutes the user couldn't log into their machine.

    Terms & ConditionsCookie settingsAccessibility statement