Passcode Configuration Profile and Active Directory Passwords

New Contributor

We have AD-bound Macs in our Jamf environment. Our AD passwords expire after 90 days. We would like to force the change of the local break glass accounts on the Macs every 90 days, as well. I'm trying to avoid flak from users who might have changed their AD password a couple of days ago.

If we deploy a configuration profile that includes the Maximum Password Age set to 90 days (the same as our AD policy), does anyone know if that will conflict with the AD policy? 


Honored Contributor II

MacOS really does not give two poops about AD, even when domain bound. Where yes you are using a "mobile" account on macOS, MacOS itself really does not care what AD is doing or telling that account to do. 


  • If you push a configuration profile with tighter password requirements than what your AD Tennant has expect the users to be forced to change their password at log in. If password change fails to sync to AD, then the users account on the Mac will have a different password than their AD password. 
  • If you push a configuration profile with a password configuration that matches your AD Tennant I would expect most users would not notice anything. There is always a risk of a one off.