Posted on 07-16-2015 12:29 PM
We've got an office full of Macs, all bound to our Active Directory. Ever since I've worked for this company, none of the users have been able to change their password via the Users & Groups preference pane, or during the login process.
I don't manage the Active Directory, so I always just assumed it was something with the way the directory was set up, and not something I could change. I just found out that the other offices in the company have no issues with this.
The problem is that whenever a user tries to change their password, either through Users & Groups or during the login process, they get a popup saying that their password does not meet the organization's password policy. I've tested and verified that this happens, even when the password does meet the policy.
I don't know a ton about Active Directory or the binding process, other than how to bind a machine and create a mobile account. I'm not even sure where to start with the troubleshooting process, and Google hasn't been much help. Any suggestions on where I could start?
Posted on 07-16-2015 12:41 PM
Are they using a brand new password? AD doesn't like when the original password is Foob@r1 and the new one is Foob@r2
Posted on 07-16-2015 12:58 PM
@corbin3ci That was a good thought. I just tested that, and it has the same issue, even if the password is completely different.
Posted on 07-16-2015 01:17 PM
It depends on AD Password Policy.. some allow same password..
I wonder if there is some issue with the Macs at this office connecting/contacting the local domain controller.
@ihalvorson Is the Domain Controller local to the clients? Any firewall etc? Also, is the output of the below the same @ all macs across all sites:
sudo dsconfigad -show
Posted on 07-29-2015 09:54 AM
I have a little more insight on this. I was unaware that part of our password policy here is that passwords cannot be changed within 15 days of the most recent password change.
I think this was what was going on in this specific instance, but I feel some of our users still have the issue, even if it's been over 15 days. I'll keep investigating.
@bentoms Thank you for the advice. I'll look into the Domain Controller / firewall possibility.