Help

Changing AD passwords for Managed Mobile Accounts

rcastorani
New Contributor II

Posted on ‎02-24-2015 11:24 AM

We have all of our users in Active Directory which is the primary authentication for their credentials on Windows machines, Apple machines, 802.1x, as well as other systems (SIS, LMS, etc).

I would like to use a tool like ADPassMon or Netwrix to allow users to change their AD password remotely. However, I don't believe this will actually change their password for their Mac laptops since it has already cached their credentials. Is there a way to force Mac to check for new credentials or is this restricted to the login screen. If the latter, than I'll need to work on a login window wireless profile (which has been giving me the business lately).

Any thoughts?

0 Kudos
7 REPLIES 7

calumhunter
Valued Contributor

Posted on ‎02-24-2015 03:24 PM

if the user is a mobile user, using the accounts system preference pane whilst on the network and able to communicate with the DC *should* change the password in AD - assuming the user is authorised to do so

0 Kudos

Aaron
Contributor II

Posted on ‎02-24-2015 04:45 PM

I use a custom script which prompts for their old and new passwords, and at its core, consists of:

SEARCHPATH=`dscl localhost -read /Search CSPSearchPath | grep -m 1 "Active" | sed 's/^ *//'`
dscl "$SEARCHPATH" passwd "/Users/$USER" "$CURPASSWORD" "$NEWPASSWORD"

Which changes the password on the AD and on the Mac at the same time (being a mobile account, OSX has the smarts to do both).

I also update the keychain with:

security set-keychain-password -o "$CURPASSWORD" -p "$NEWPASSWORD"

There's a bunch of other stuff I do, but that's basically it.

0 Kudos

rcastorani
New Contributor II

Posted on ‎02-24-2015 05:04 PM

@calumhunter I'll have to check that out. That would be great. Thanks.

@Aaron Do you just place this script in self service then? Thanks.

0 Kudos

Aaron
Contributor II

Posted on ‎02-24-2015 05:10 PM

@rcastorani][/url - Yes, I use osascript for all my prompts, but you could probably do the same with cocoaDialog or jamfhelper. Then I just make it available as an "ongoing" policy in Self Service. It's just a matter of training staff to change their password from there when possible, and ignoring the password expiration prompt on the login screen (you can turn that off with MCX, but I've had limited success with it).

0 Kudos

calumhunter
Valued Contributor

Posted on ‎02-24-2015 05:12 PM

@Aaron, have you had no luck using the accounts system preference to make the password change?

0 Kudos

Aaron
Contributor II

Posted on ‎02-24-2015 05:20 PM

@calumhunter - I do some fancy stuff with the keychain (primarily to do with our proxy) so the system preferences method is insufficient for my needs. I find it's less headache for me and my users if they just have a one-click method that does it all for them.

0 Kudos

TomDay
Release Candidate Programs Tester

Posted on ‎08-02-2017 12:54 PM

@Aaron Would you be able to share that script?

0 Kudos