Jamf Nation Community

Question is a little confusing - do you mean "implementing Kerberos through AD"?

Where is your AD password actually set? Domain-level enforced? As cdev implied above, the AD policy will only affect AD accounts, not local - you'll need to use a config profile or pwpolicy on the Macs themselves if you're trying to apply this to local accounts.

Sounds like you are using local not managed mobile users. If your intention is to be AD bound but use local users then I would suggest you take a look at NoMAD. It offers the ability to sync the AD password to local accounts.

https://nomad.menu/

The only other alternative really is to use mobile accounts on bound Macs, then it will always respect the AD password policy.

Thanks - i suspect that its trying to go against the local accounts not mobile accounts. Is there a way to force a new user with a mobile account? I can see the AD account in terminal, but still cant figure out how to get it so the users pull from the AD. (Sorry for ignorance on this - IT guy quit and I have had a quick crash course in all of it).

We match, as best we can, the password policy enforced in AD locally with pwpolicy that we set with an XML file. This is a global policy for all local accounts. We pair this policy with password syncing in Enterprise Connect.

You are going to need a 2nd way to manage local accounts. AD password rules won't apply to local accounts. iJake is about policyCategory.plist. You could use config profiles too.

and here is the thread example policyCategory.plist

https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines

If the machine is bound to AD, log out of the account. Then at the log in window log in with any AD account and it should create an non-admin mobile account and that account should follow you AD password rules.

C

Couldn't you use NoMAD for this? Direct users to change via NoMad and lock the option in System Preferences down?