Jamf Nation Community

jared_f · ‎09-20-2019

Hello All,

We are running into an issue where any Jamf domain bound Mac is prompting for the user to reset his/her password on login. I have the bind pushing via a configuration profile (it was set up like that when I arrived). This only happens when a user arrives on campus for the first time or it is there first time logging into a campus Mac. As we are SSO w/ Google Apps this is causing loads of issue. AD team thinks it is our issue. Has anybody run into this?

Thank you,
Jared Flitt
John Carroll University ITS

alexjdale · ‎09-20-2019

Interesting. It sounds like the AD flag to require a password change at next logon is set for new users, which is a pretty common AD config. The AD team confirmed that's not the case?

jared_f · ‎09-20-2019

@alexjdale They have confirmed so. These are users that have previously used their logins on campus. Weird issue :/

mark_mahabir · ‎09-24-2019

Interesting. I have run into this over the last 12 months or so on our lab Macs, but don't yet have a solution.

The issue was present in macOS 10.12 and remains after upgrades to 10.14. We use an AD binding script rather than a configuration profile.

Incidentally, I've never seen the issue on our staff, non-lab Macs. The only difference there is that we re-use values for the uidNumber and gidNumber attributes in AD from our LDAP server (used for our linux machines). Our lab iMacs use system-generated values for these attributes.

The plan here is to move to either NoMAD or Jamf Connect in the next year or so and come away from AD binding. That project will also involve us leveraging the Jamf AD-CS Connector as our staff Wi-Fi network relies on device-based authentication from domain joined computers.

mark_mahabir · ‎10-03-2019

Looks like someone else has seen the issue in this thread.

Jamf Nation Community

Macs Prompting for AD User Change