Fine grained password policy and AD bound Mac computers

ironman
New Contributor

We implemented AD fine grained password policies in our domain recently and are having issues when users login to Mac computers. These users have their password set to expire in 90 days via the fine grained password policy and the default domain password policy is set to 42 days. Now what is happening is that they can login fine on Windows but the Macs think their passwords have expired and force a password change. The only way the user is able to login is if they change their password on a windows machine and then try logging in on the Mac again.

Any suggestions? Has anyone else ran into this issue?

6 REPLIES 6

cbrewer
Valued Contributor II

I'd look to make sure you have your fined grained PSO's setup correctly. Our fine grained passwords have been working fine with AD bound Macs for several years. 2008 R2 AD functionality level.

ironman
New Contributor

Thanks for the reply. Do you also have a default domain password policy set? Ours is set to the standard 42 days policy and we set the fine grained password policies for a higher priority.

rusty_adams
New Contributor II

I'm in the same boat as @ironman. My AD bound Macs seem to only care about the domain default, so we just increased the default to what we wanted for our teachers anyway. Our printing setup requires connecting to shared printers on a Windows print server, and remebering the authentication credentials to the keychain (against our advice, but whatever) was breaking things constantly when this happened.

At least we slowed the service calls greatly by upping the domain default (our domain default was 30 days but we went to 90, the tradeoff being we required more complexity than they had previously -- baby steps....).

ironman
New Contributor

Thanks for the response @rusty.adams We were trying to figure out why the macs were able to see the password complexity in the fine grained password policy but not able to see the password expiry for FGP which was set to 90. Like you said the Mac seems to only recognize the default domain password.

edullum
Contributor

@ironman We are experiencing the same issue over here running High Sierra. Did you ever get it resolved?

rtylerdavis
New Contributor III

I'm having this issue right now in our environment, has anyone found a work around or fix for this?