We've been in the middle of a slow roll out of Casper-ized macs in an enterprise environment. We've run into a few roadblocks, most of which have been overcome. One ongoing struggle is determining why accounts occasionally become disabled. It would greatly help us troubleshoot user experience if we could differentiate between:
Failed attempts
Security Profile
Password doesn't meet complexity requirements
Password too old
Password reuse
I have a few repeat users that frequently find themselves locked out of their computers and our only ongoing solution is to remove their machines from the password profile.
In the past, I've had troubles with certain machines disabling the account at enrollment (even when they've changed their password before enrollment) and my only solution to that has been to remove, change password, reapply. Fortunately, I haven't had this problem recently. However, it's because of this reason I'm hesitant to flatly blame the user for any problems when I couldn't explain previous situations.
I don't think any of the problems are related to an expired password for a couple of reasons. We do have a smart group that checks password age, and the users are telling us they've changed their password recently.
So, I guess after all this rambling, I'm hoping someone ran into a similar issue and found a hard solution rather than educated assumptions.
