Force AD PW Policy on Mac

New Contributor

Hi all. We are implementing AD through Kerberos in our Mac environment. We also use OpenVPN. We can successfully bind the Macs to the AD, however, when I try to test the password policy requirements with a simple password, it allows it instead of preventing it and forcing AD's policies (8 char minimum, 180 day expiration, etc.).

We can successfully connect to the domain, the date/time are synced up with the server, etc. Is there anything we should be specifically checking to have these macbooks pull the password requirements from the AD server?

Thanks in advance.


Contributor III

Just to clarify, is the account on the computer a local account, or is the account an AD account?

Valued Contributor

Question is a little confusing - do you mean "implementing Kerberos through AD"?

Where is your AD password actually set? Domain-level enforced? As cdev implied above, the AD policy will only affect AD accounts, not local - you'll need to use a config profile or pwpolicy on the Macs themselves if you're trying to apply this to local accounts.

Valued Contributor

Sounds like you are using local not managed mobile users. If your intention is to be AD bound but use local users then I would suggest you take a look at NoMAD. It offers the ability to sync the AD password to local accounts.

The only other alternative really is to use mobile accounts on bound Macs, then it will always respect the AD password policy.

New Contributor

Thanks - i suspect that its trying to go against the local accounts not mobile accounts. Is there a way to force a new user with a mobile account? I can see the AD account in terminal, but still cant figure out how to get it so the users pull from the AD. (Sorry for ignorance on this - IT guy quit and I have had a quick crash course in all of it).

Valued Contributor

We match, as best we can, the password policy enforced in AD locally with pwpolicy that we set with an XML file. This is a global policy for all local accounts. We pair this policy with password syncing in Enterprise Connect.

Valued Contributor II

You are going to need a 2nd way to manage local accounts. AD password rules won't apply to local accounts. iJake is about policyCategory.plist. You could use config profiles too.

and here is the thread example policyCategory.plist

If the machine is bound to AD, log out of the account. Then at the log in window log in with any AD account and it should create an non-admin mobile account and that account should follow you AD password rules.


New Contributor III

Couldn't you use NoMAD for this? Direct users to change via NoMad and lock the option in System Preferences down?