Keychain issues for an AD user that uses five different machines?

phillip_chen
New Contributor

Hi Everyone,

I was wondering if anyone had a simple solution to fixing keychain problems when the end user has multiple machines? Regardless of how he changes his password (we aim for users changing their password on their own machine) it only messes it up for every other machine he possesses.

Thanks in advance!

6 REPLIES 6

cgiordano
Contributor

@phillip.chen This is a bit of a shotgun approach but you can delete the user's login keychains. Here's a rough and dirty script (highly unrefined):

#!/bin/sh

cd /Users/[username]/Library/Kechains
rm -Rf *

exit

You add to this as well and use the JSS to grab active user's username and run everything for you. You should also be able to use this in Self-Service. Note that a reboot should be performed after deleting the user's login keychain and it will re-create after the reboot has taken place. We use AD auth for wifi networks and it gets stored in the login keychain so your user will also need to reconnect to wifi if you go that route as well.

Good luck!
Chris

chriscollins
Valued Contributor

The Mac where the password change was made is the only one that automatically gets its keychain password updated.

Normally if the user logs out and then logs back in it will offer them the change to update their keychain password. They enter their old password and then it should update it to the new password.

The reason why it may not be happening on all his machines is because he hasn't logged out yet so his keychain is still unlocked with the old password.

In our environment we instruct the users to log out and log back in. If that doesn't work we do it the old fashioned way in keychain access.

phillip_chen
New Contributor

@cgiordano Thanks however I was hoping there would be a way for me not to delete their keychain if possible....the person in question is pretty high up...

@chriscollins Thanks too! I was also hoping for something to somehow force sync on the remaining machines...somewhat of a hail mary approach with the least amount of interaction from the end user.

davidacland
Honored Contributor II

Not sure if iCloud Keychain would work in this scenario. I know it can sync items within the keychain but I haven't tested it with actual password file changes. Worth testing though.

Failing that, some kind of home built system would be needed, syncing the updated copy of the file somewhere and then back to other machines as and when the person logs in/out.

Personally, I think that this is just a limitation of the technology. Network passwords being changed regularly, and the user having multiple Macs is a perfect storm. I would probably opt to explain why it happens and show the user how to solve it. The alternative is that you burn lots of time trying to engineer a solution just for one person.

mm2270
Legendary Contributor III

Yep, I'm in agreement with @davidacland This is to be expected when someone has multiple Macs, and trying to engineer a fragile solution doesn't make a lot of sense. I would also simply explain the reason why this happens and show them how to update it. Its actually pretty easy to update the login keychain password by doing Keychain Access > Edit > Change password for keychain "login" They just put in their old (existing) and new passwords where appropriate and it gets updated.

Outside of the above, we use a password change portal website that works pretty well to update AD account passwords on all Macs/PCs that you are using it on. It apparently runs a script or process that propagates the password change to all domain controllers pretty quickly, so no matter which one a computer is pointed to, the change is seen by the AD account on the computer and it gets updated. It sounds like your organization could use something like that.

phillip_chen
New Contributor

Thanks @mm2270 and @davidacland !