I have the problem that for some time now password changes for the mobile account have not been working properly. The passwords are changed via the Active Directory and the password is also synced to the devices, but it is not changed completely. Instead of one password prompts upon login there are now two. The first one which accepts the old password and the a second one which accepts the new password. It seems that the first password unlocks the hardware and the second one the account. Before it was all done by the same password. Also I should mention that if I change the network password again, it will only affect the second password (that was the new one in the first place, the old password always stays.
Anyone have any experience with this?
Thanks for the help!
I have no idea on how the passwords sync back to the AD, I didnt even think that was necessary. I just took over from me predecessor, who did not really explain that much. How can I find this out?
Also it is a mix of VPN and wired Users, but the issue persist over both methods.
In our case, our Active Directory is on-premise and our network relies on a VPN connection to talk back to AD as everyone is working from home still. If this VPN connection breaks during the change or sync back to Active Directory we notice the two password issue.
We have a few fixes, but it would be good to find out how your connection is established first. On a Mac when you open System Preferences, Users & Groups and then click Login Options does it show a Network Account Server connected here?
This should not be the case because employees are to only change their password, when they are on premise, so an interruption of the VPN connection should not be the issue.
Yes, it does show a Network Account Server connected.
Okay and the passwords, are they changed on the macOS devices through System Preferences?
It would be good to establish whether the devices are talking to this server - normally we open Terminal and run a ping to the server address to see what response is given.
No, the passwords are change via a web service that interacts with the AD. Our organisation is a bit bigger, so this is the only way to change the password. Changing the password via System Preferences is disabled.
Hmm okay, sorry to say I might be out of ideas here.
It could still be the connection between AD and the end user, although the password change goes through maybe the connection does not stay stable enough to sync back to the device. The issue with passwords syncs is one I hate - the main reason we're looking at jamf Connect.
Sorry I couldn't help anymore!
sorry to inform you that I have not found a solution for this. I think what happens is that the FileVault password can not be changed by an external service, after it has been set. So users that change their passwords have to live with the fact that they now have to put in two passwords.
I hope to some day migrate to Kerberos Single Sign on, I hope that resolves this issue permanently.