macOS 12 Monterey 'Change Password' Grayed Out

GoingUndergroud
New Contributor II

Hi,

Users on macOS 12 clients are unable to change their passwords. The 'Change Password...' buttons in the following locations are grayed out:

 

System Prefs > Security & Privacy > General > Change Password

System Prefs > Users & Groups > User > Change Password

 

The buttons stay gray even when the padlocked is unlocked.

This is for local and mobile clients.

My 10.14 clients do not have this problem... is it expected?

Thanks,

David.

 

1 ACCEPTED SOLUTION

GoingUndergroud
New Contributor II

Fixed.

In my testing this problem affects macOS 11 (Big Sur) and 12 (Monterey) clients but does not affect 10.14 (Mojave) clients.

So after a painstaking process (ie. using a specific client and excluding specific Configuration Policies on-by-one then restarting) I was able to narrow the problem down to a specific Configuration Profile.

I was then able to narrow it down to a specific payload within the Config Profile.

I found that  'Finder' payload also pushes out 'Login Window Preferences' settings. These settings can be seen in System Preference > Profiles > MyProfileName as soon as the Finder payload is created and saved.

On deleting the Finder payload from the relevant Config Profile & saving the changes the Login Window Settings are immediately removed from the Profile on the client. After a restart the 'Change Password...' boxes are no longer greyed out and users can change their passwords.

I have not drilled down further to see if a specific setting in the Finder payload causes this problem. For now I have just deactivated the Finder payload and my users can change passwords once again.

 

TLDR: A quick fix is to remove any Finder payloads within Configuration Profiles you may be using.

View solution in original post

2 REPLIES 2

ericbenfer
Contributor II

My guess is you have a Configuration Profiles with the “Security and Privacy: General” payload.
That payload has a “Password Change” key. This can prevent users from changing their login password.

That is sometimes deployed along with Kerberos SSO to force users to change their password via the Kerberos Extension.

GoingUndergroud
New Contributor II

Fixed.

In my testing this problem affects macOS 11 (Big Sur) and 12 (Monterey) clients but does not affect 10.14 (Mojave) clients.

So after a painstaking process (ie. using a specific client and excluding specific Configuration Policies on-by-one then restarting) I was able to narrow the problem down to a specific Configuration Profile.

I was then able to narrow it down to a specific payload within the Config Profile.

I found that  'Finder' payload also pushes out 'Login Window Preferences' settings. These settings can be seen in System Preference > Profiles > MyProfileName as soon as the Finder payload is created and saved.

On deleting the Finder payload from the relevant Config Profile & saving the changes the Login Window Settings are immediately removed from the Profile on the client. After a restart the 'Change Password...' boxes are no longer greyed out and users can change their passwords.

I have not drilled down further to see if a specific setting in the Finder payload causes this problem. For now I have just deactivated the Finder payload and my users can change passwords once again.

 

TLDR: A quick fix is to remove any Finder payloads within Configuration Profiles you may be using.