I created a policy to reset the Administrator password for all Macs (right now it's limited to just my test Mac). It works, however when I try to log on to any account on the system (not just the administrator) for the first time after the change I get a message that the system was unable to unlock your login keychain with 3 choices
Continue log in
Create new keychain
Update keychain password
Any idea what's happening here?
Solved! Go to Solution.
Totally normal behavior. The login.keychain uses the password for the account as its master password (meaning to unlock the entire login keychain), but if you use a policy to change the password for that account its doing it from the command line and there's no way for the login.keychain to get updated at the same time in this fashion. So when you later log in with password "12345" the Mac sees that the password for your login.keychain was previously "abcde" and can't unlock it, since they no longer match.
That dialog, incidentally, will go down in the annals of computing as one of the most confusingly worded dialogs Apple has ever created. You need to click the "Update keychain password" button, but on the next screen you need to enter the password, not your current/new one. So many people get confused by this and enter their current password and it just shakes at them with no indication of what they are doing wrong.
As an aside, obligatory mention to look into tools like ADPassMon and such to help make the process of updating that password a little easier to do the next time around.
EDIT: Ok, in re-reading your post, I see you mentioned that you get this on any login after the change, not just the administrator one you changed. Are you certain about that? Because if so, something is wrong, since a policy resetting the password on one account should never affect other accounts. I would go back and take a closer look at the policy doing the resetting to make sure there isn't something set up wrong.
Also, what version of the JSS are you using for this? I'm hoping its not some unknown before defect.
An easy solution is to have a script remove the administrators ~/Library/Keychains folder, it will just get recreated on the first login after the change anyway.
There is also a bug in some Applications where they create a blank file in place of the Keychains folder which will generate errors on every login, the fix for this is to remove the file and replace it with an empty Keychains folder.
Both of the above will of course result in the loss of any saved passwords for the affected account.