Skip to main content
Question

Changing AD passwords for Managed Mobile Accounts

  • February 24, 2015
  • 7 replies
  • 23 views
R
Forum|alt.badge.img+5

We have all of our users in Active Directory which is the primary authentication for their credentials on Windows machines, Apple machines, 802.1x, as well as other systems (SIS, LMS, etc).

I would like to use a tool like ADPassMon or Netwrix to allow users to change their AD password remotely. However, I don't believe this will actually change their password for their Mac laptops since it has already cached their credentials. Is there a way to force Mac to check for new credentials or is this restricted to the login screen. If the latter, than I'll need to work on a login window wireless profile (which has been giving me the business lately).

Any thoughts?

    7 replies

    C
    Forum|alt.badge.img+10
    • calumhunter
    • New Contributor
    • 596 replies
    • February 24, 2015

    if the user is a mobile user, using the accounts system preference pane whilst on the network and able to communicate with the DC *should* change the password in AD - assuming the user is authorised to do so

    A
    Forum|alt.badge.img+9
    • Aaron11
    • Valued Contributor
    • 173 replies
    • February 25, 2015

    I use a custom script which prompts for their old and new passwords, and at its core, consists of:

    SEARCHPATH=`dscl localhost -read /Search CSPSearchPath | grep -m 1 "Active" | sed 's/^ *//'`
dscl "$SEARCHPATH" passwd "/Users/$USER" "$CURPASSWORD" "$NEWPASSWORD"

    Which changes the password on the AD and on the Mac at the same time (being a mobile account, OSX has the smarts to do both).

    I also update the keychain with:

    security set-keychain-password -o "$CURPASSWORD" -p "$NEWPASSWORD"

    There's a bunch of other stuff I do, but that's basically it.

    R
    Forum|alt.badge.img+5
    • rcastorani
    • Author
    • Contributor
    • 32 replies
    • February 25, 2015

    @calumhunter I'll have to check that out. That would be great. Thanks.

    @Aaron Do you just place this script in self service then? Thanks.

    A
    Forum|alt.badge.img+9
    • Aaron11
    • Valued Contributor
    • 173 replies
    • February 25, 2015

    @rcastorani][/url - Yes, I use osascript for all my prompts, but you could probably do the same with cocoaDialog or jamfhelper. Then I just make it available as an "ongoing" policy in Self Service. It's just a matter of training staff to change their password from there when possible, and ignoring the password expiration prompt on the login screen (you can turn that off with MCX, but I've had limited success with it).

    C
    Forum|alt.badge.img+10
    • calumhunter
    • New Contributor
    • 596 replies
    • February 25, 2015

    @Aaron, have you had no luck using the accounts system preference to make the password change?

    A
    Forum|alt.badge.img+9
    • Aaron11
    • Valued Contributor
    • 173 replies
    • February 25, 2015

    @calumhunter - I do some fancy stuff with the keychain (primarily to do with our proxy) so the system preferences method is insufficient for my needs. I find it's less headache for me and my users if they just have a one-click method that does it all for them.

    T
    Forum|alt.badge.img+22
    • TomDay
    • Honored Contributor
    • 289 replies
    • August 2, 2017

    @Aaron Would you be able to share that script?


    Terms & ConditionsCookie settingsAccessibility statement