Locally cached passwords not syncing with Active Directory on mobile accounts

cnixon14
New Contributor III

On our machines we have mobile accounts that are synced to Active Directory. When users change their password through Active Directory the mobile accounts' locally cached password is not getting updated. This leads to that user being locked out of their machine. Currently I have been using this command to pull down the new password:

login <username>

 But we would want the updated password to be pulled down in the background. Is there a command that could be run from JAMF to force a sync? Has anyone else had a problem with password sync then users being locked out of their machines? 

6 REPLIES 6

Phantom5
Contributor II

junjishimazaki
Valued Contributor

What method are the users using to update their AD password?

My company has a portal that is connected to AD so they change it through the portal and pushes the change to AD. So changing the local password is not a reasonable solution. We need the password to be pulled down from AD

Phantom5
Contributor II

(In our case, we stopped using AD long time ago, no security justification for us to keep our Macs bound to AD, actually we consider binding a security risk.)

The OD cache for a Mobile account also stores the AD expiration date for the password, and it should update every time macOS considers that information dirty (user login/out, network configuration change, etc.)

Our users were instructed to use either the Login Window, the User & Groups panel in System Preferences or Enterprise Connect (now Apple Kerberos Extension).

When you update/reset a password from within a Mac, macOS updates the local OD, the keychain for the user and in the case of a Mac with FileVault enabled, the FileVault credentials. There's a lot of things that can break if you update passwords from outside the Mac.

BWonderchild
New Contributor III

So, my previous organization ran into this issue..... We ended up leveraging the NoMAD Software Suite to accomplish this.

Tharindu
New Contributor

Facing the same issue in my company environment as well. Password need to be changed from the Mac side only. Not using the portal. If any user has changed their password from the portal, then you need to change the AD password to the old one and then ask the user to change the password using the Mac machine. Otherwise you'll face a series of issues. Clearing the keychain and re-creating works sometimes (I'm not an expert in Keychains so can't really comment on that) but if you are looking for a permanent solution, you better send an SOP to Mac users on the steps that they need to follow. 

 

In this issue Jamf really cannot do anything to sync the keychains. 

 

Also Jamf connect might be a solution as well (I haven't tested that)