We implemented AD fine grained password policies in our domain recently and are having issues when users login to Mac computers. These users have their password set to expire in 90 days via the fine grained password policy and the default domain password policy is set to 42 days. Now what is happening is that they can login fine on Windows but the Macs think their passwords have expired and force a password change. The only way the user is able to login is if they change their password on a windows machine and then try logging in on the Mac again.
Any suggestions? Has anyone else ran into this issue?
I'm in the same boat as @ironman. My AD bound Macs seem to only care about the domain default, so we just increased the default to what we wanted for our teachers anyway. Our printing setup requires connecting to shared printers on a Windows print server, and remebering the authentication credentials to the keychain (against our advice, but whatever) was breaking things constantly when this happened.
At least we slowed the service calls greatly by upping the domain default (our domain default was 30 days but we went to 90, the tradeoff being we required more complexity than they had previously -- baby steps....).
Thanks for the response @rusty.adams We were trying to figure out why the macs were able to see the password complexity in the fine grained password policy but not able to see the password expiry for FGP which was set to 90. Like you said the Mac seems to only recognize the default domain password.