Changing AD passwords for Managed Mobile Accounts

rcastorani
New Contributor II

We have all of our users in Active Directory which is the primary authentication for their credentials on Windows machines, Apple machines, 802.1x, as well as other systems (SIS, LMS, etc).

I would like to use a tool like ADPassMon or Netwrix to allow users to change their AD password remotely. However, I don't believe this will actually change their password for their Mac laptops since it has already cached their credentials. Is there a way to force Mac to check for new credentials or is this restricted to the login screen. If the latter, than I'll need to work on a login window wireless profile (which has been giving me the business lately).

Any thoughts?

7 REPLIES 7

calumhunter
Valued Contributor

if the user is a mobile user, using the accounts system preference pane whilst on the network and able to communicate with the DC *should* change the password in AD - assuming the user is authorised to do so

Aaron
Contributor II

I use a custom script which prompts for their old and new passwords, and at its core, consists of:

SEARCHPATH=`dscl localhost -read /Search CSPSearchPath | grep -m 1 "Active" | sed 's/^ *//'`
dscl "$SEARCHPATH" passwd "/Users/$USER" "$CURPASSWORD" "$NEWPASSWORD"

Which changes the password on the AD and on the Mac at the same time (being a mobile account, OSX has the smarts to do both).

I also update the keychain with:

security set-keychain-password -o "$CURPASSWORD" -p "$NEWPASSWORD"

There's a bunch of other stuff I do, but that's basically it.

rcastorani
New Contributor II

@calumhunter I'll have to check that out. That would be great. Thanks.

@Aaron Do you just place this script in self service then? Thanks.

Aaron
Contributor II

@rcastorani][/url - Yes, I use osascript for all my prompts, but you could probably do the same with cocoaDialog or jamfhelper. Then I just make it available as an "ongoing" policy in Self Service. It's just a matter of training staff to change their password from there when possible, and ignoring the password expiration prompt on the login screen (you can turn that off with MCX, but I've had limited success with it).

calumhunter
Valued Contributor

@Aaron, have you had no luck using the accounts system preference to make the password change?

Aaron
Contributor II

@calumhunter - I do some fancy stuff with the keychain (primarily to do with our proxy) so the system preferences method is insufficient for my needs. I find it's less headache for me and my users if they just have a one-click method that does it all for them.

TomDay
Release Candidate Programs Tester

@Aaron Would you be able to share that script?