Cannot login after AD password change

cscsit
New Contributor III

I've had this happen on 2 different Macs, both running the latest version of 10.11. Every time a user is required to change their password they cannot login and I end up having to reimage the Mac to make it work. I'm not sure what is going on to make this happen. After a password change, they cannot use either their old password, nor their newly created one.

Also, I remember when OS X would let you know when your AD password was going to expire and now it doesn't and users cannot use a Mac to change their password. Did something change in 10.11 to break this?

4 REPLIES 4

nigelg
Contributor

I haven't heard of that issue. Have you tried removing the users account rather than reimaging? We use Mobile Managed accounts with local homes authenticating with AD and I can remove an account using the jamf binary with this command :-

jamf deleteAccount -username <username> -deleteHomeDirectory

I know its possible to do the same with dscl but I know the jamf binary command will clean up a user account quite well with the minimum of fuss. That command will delete the Home Directory so beware of that but a reimage will do the same. Might get you up and running or let you do some troubleshooting a bit quicker than having to reimage after every attempt.

scentsy
Contributor

@cscsit I have notice a similar issue:

We recently upgraded to 9.93 from 9.91; also we had 2 users that changed their password and after troubleshooting it for a while I end up un-enrolling/removing/unbinding and re-enrolling the macs.
and that did the trick. After re-enrolling the users are able to change the password in a mac without any problems.
this is what I do to remove "casper" from a mac:
sudo su (type your password)
dsconfigad -remove -force -u "here is the service account with AD privileges" -p "type the AD password here" (hit enter)
killall jamf (hit enter)
jamf removeframework (hit enter) (and reboot)

Once the framework is removed (Self Service won’t be in /Applications), reboot the computer

Remove the computer account from the JSS Inventory

Search Active Directory to make sure the computer is gone...delete the object if it's still there

After the reboot, make sure Self Service is un-installed and that the computer is not joined to the domain. After that, you can enroll!

hope that helps.

rlincoln
New Contributor

How are they changing they password? using users & groups or an third party? If you use a third party it could be keychain causing issues...and if the machines are using FileVault it could be causing an issue as well.

If it is related to keychain login as the admin that will unlock the disk for the use fast user switching to have the user login. Then fix there keychain and reboot. User should be able to login without issue.

plagued my previous company.

scharest
New Contributor II

Do you use an NPS server to set time and date on your machines? We do, and we found that if the clock was off by more than five minutes the user couldn't log into their machine.