Help

Keychain errors after changing password in AD....methods

EliasG
Contributor

Posted on ‎10-08-2014 11:59 AM

I am just curious what some people out here are doing/using when people change passwords and the keychain keeps popping up for user. I am getting tired of running around just to click on reset defaults the last few days..

Thanks

0 Kudos
8 REPLIES 8

mm2270
Legendary Contributor III

Posted on ‎10-08-2014 12:09 PM

Is this when the password changes in AD, and wasn't changed from the Mac? Because if so, unfortunately that will always happen in that circumstance. The OS can't possibly know that the account password changed from the backend until it attempts to authenticate and gets a bad password response from what's stored in the keychain.

Have you looked at @bentoms' ADPassmon fork? It has the ability to perform a password unlock check at login and allow users to reset it there if needed.

0 Kudos

ShaunRMiller83
Contributor III

Posted on ‎10-08-2014 12:11 PM

@EliasG

We have this in our self service. It was written by one of the JAMF Speakers at last years JNUC. The script is on her GitHub https://github.com/andrina/JNUC2013/blob/master/Users%20Do%20Your%20Job/deleteAndcreateKeychain.sh

We have switched over to more of the method outlined on this posting using ADPassMon2 with MCX and a launch agent https://jamfnation.jamfsoftware.com/discussion.html?id=10252

0 Kudos

EliasG
Contributor

Posted on ‎10-08-2014 12:13 PM

@ShaunM9483 how does that script work? Is it a login in script?

0 Kudos

ShaunRMiller83
Contributor III

Posted on ‎10-08-2014 12:36 PM

@EliasG][/url][/url

The script checks to see who is logged in, gets the keychain name for the user, asks the user for there current password, deletes the old keychain and creates a new one with the current password.

We put the script in self service in our First Aid section for our mac users. Our help desk has communicated to our mac users if they see keychain errors they can run that and it should repair the issues.

If you are looking for something to run at login you could probably make the script work for that use, but I would consider giving the ADPassMon a try as well.

0 Kudos

emily
Valued Contributor III
Valued Contributor III

Posted on ‎10-08-2014 01:23 PM

Just throw this on computers and have users change their password through it:
http://macmule.com/2014/04/01/announcing-adpassmon-v2-fork/

Have them log out, log back in with new password, then update password when prompted within apps (Outlook, whatever). It's magical.

0 Kudos

wdpickle
Contributor

Posted on ‎10-09-2014 08:30 AM

We added it to self service and assign it to machines when the problem is reported (recommended by Andrina @JNUC2013)

0 Kudos

EliasG
Contributor

Posted on ‎10-09-2014 08:51 AM

How to I package the adpassmon? @emilykausalik @wdpickle

0 Kudos

wdpickle
Contributor

Posted on ‎10-09-2014 09:05 AM

We packaged cocoa (then installed it through policy) and uploaded the script (after pointing to the cocoa install location). Then I created a policy called KeyChain Repair and assigned it to Self Service, it calls the script and prompts for reboot when complete. I had to tweak a couple of things for our environment, but Andrina Kelly did all the heavy lifting for us. I followed her instructions from last year. The session should still be available here:
https://www.youtube.com/playlist?list=PLlxHm_Px-Ie01lK6FgfdXhk-YuByY6X27 the session title is: Getting Users to Do Your Job (Without Them Knowing It)

0 Kudos