I was told Apple finally fixed AD password syncing issues on macOS 10.14.4 several days ago, which I thought is great. (https://support.apple.com/en-us/HT209149#macos10144)
However I confirmed a new issue while using 10.14.4: If I change my AD password out of Mac, and use new password to login, normally it will require me to input old password to update keychain. This time, it did notice me about it, but no step to input the old password even I choose "Update Keychain Password", then it create a new keychain for me. As my company need cert to connect wifi, this is pretty annoying.
If anyone have same situation, you can try recovery your keychain by finding it in ~/Library/Keychains/XXXXXXX
Everything worked perfectly if I change password in mac, which IT department not recommend.
Appreciate a lot if anyone can offer Apple's explanation (links or mail reply) about it. A solution will even better.
Interesting, as I have tested almost every single 10.14.4 password situation except for this one. I don't think I ever actually clicked "Update" to see if it worked.
I will test this out tomorrow.
You can take a look at all my testing on the active directory and local accounts fixes in 10.14.4
Thanks for posting this, I have investigated and have also confirmed the issue. I wrote about it and posted a workaround for restoring the old login keychain.
I also included an open radar.
What I have never understood about this whole process, is the need to have an end user enter their old Active Directory created keychain password to change to their new Active Directory created keychain password, and not lose any of their keychain data. As someone that works in a place in a Helpdesk capacity. I must assist users in changing their forgotten passwords. The need for an end user to know and enter their old password, defeats the purpose of helping an end user change to a new password, if they cannot remember their old password. Which was the reason that they called the Helpdesk for help in the first place.
We've have an enterprise support ticket open on this issue even since it was discovered. It's been fixed in the Catalina betas, but we've been told that it won't be backported to Mojave. Unfortunate.
Super frustrated by this - which would seem to be a fairly straightforward fix, esp. on managed devices. Apple's now releasing security updates for Mojave that REMOVE FEATURES (e.g. the --ignore option) and ADDS FEATURES (ability to understand MDM profile "Major Update" deferral) and is large enough to practically be a complete OS installation, but it does not bother to implement what likely is a trivial bug fix, thereby offloading on macOS support teams an extensive effort. I shouldn't have to update my users to Catalina - which is its own bag of hurt for many kinds of user-facing prompts for permissions and access that cannot be managed - to resolve this bug. Apple ought to patch it in Security Update 2020-004 for macOS Mojave.
Open tickets with Apple Enterprise support. Make your voices heard.