Mac computers continue to prompt for a password reset using a Windows domain server.

[Glidewill]

Hello all,
My apologies if this post belongs elsewhere, i'm new to the site.
This issue appeared in the past month and has been plaguing the entire office slowly as their passwords are each expiring at different times.

Windows Server 2008 R2 Standard with a mix of PC and Mac computers.
Mac Books are configured to use mobile accounts for offline use.

Recently clients started experiencing issues whenever the domain password expires.
The Mac Book will prompt for the user to change their password.
User is able to sign into their account and everything appears to be working correctly.

However, if the Mac is locked or the users account is logged out, the Mac Book will prompt to change the password again during the next sign in.
In the past, attempting to rest the password again will cause issues with the key chain and the domain credentials.

Strangely enough, if the computer is restarted once again without attempting to change the password, the most recent credentials will work.
This issue repeats itself over and over.

The affected Mac Books are using a mix of High Sierra and Mojave.

I'm sure there are many pieces of information i'm leaving out that are necessary to troubleshoot, I'm available to answer any questions.

Thank you ahead of time!

 

[unglued]

Sounds like user credentials are getting cache'd somewhere. If I had to guess I would say on the client devices if that's even the issue. After changing their password can they logon remotely (ie. over VPN) with the new password?

 

[Glidewill]

Thanks for your reply, I have not tried to login remotely with the users credentials and do not believe they have that ability. I can confirm the password change is making it to the DC each time by accessing the account on a Windows PC. I have discovered that using a PC to change the password, then removing the users ability to change their password (from the user account properties) provides us with a work around. This is a messy but works until the problem can be identified.

 

[northernmunky]

I'm adminning a mix of Macs and PC's on a network all connected to Windows Server 2012 R2 Active Directory and had similar problems but mostly being when users change their passwords on Macs, they are then asked for update their keychain password and of course clicking on the wrong box results in the user being bombarded with password prompts for a password they cant remember!

Anyway I'm in the process of solving this problem with https://nomad.menu/, they've recently been bought out by JAMF. Theres a neat little menubar item that will tell you when your password will expire which you can change using the app and it will also update your users keychain password in the process.

Theres also a full on login screen replacement and it allows you to have users login via AD, but without actually binding your mac to active directory and you can customise it with company logos etc.

 

[Glidewill]

I'm adminning a mix of Macs and PC's on a network all connected to Windows Server 2012 R2 Active Directory and had similar problems but mostly being when users change their passwords on Macs, they are then asked for update their keychain password and of course clicking on the wrong box results in the user being bombarded with password prompts for a password they cant remember!

Anyway I'm in the process of solving this problem with https://nomad.menu/, they've recently been bought out by JAMF. Theres a neat little menubar item that will tell you when your password will expire which you can change using the app and it will also update your users keychain password in the process.

Theres also a full on login screen replacement and it allows you to have users login via AD, but without actually binding your mac to active directory and you can customise it with company logos etc.

Thank you so much for this suggestion, this might be the best course of action as it appears there are no "fixes" only workarounds. Thank you again for taking the time!

 

[hobowankenobi]

I'm adminning a mix of Macs and PC's on a network all connected to Windows Server 2012 R2 Active Directory and had similar problems but mostly being when users change their passwords on Macs, they are then asked for update their keychain password and of course clicking on the wrong box results in the user being bombarded with password prompts for a password they cant remember!

Anyway I'm in the process of solving this problem with https://nomad.menu/, they've recently been bought out by JAMF. Theres a neat little menubar item that will tell you when your password will expire which you can change using the app and it will also update your users keychain password in the process.

Theres also a full on login screen replacement and it allows you to have users login via AD, but without actually binding your mac to active directory and you can customise it with company logos etc.

I am using the free version of NOMAD on about 70 machines, and it works wonderfully. A learning curve for users when they reset passwords, but the best solution I am aware of for this vexing issue.

Pretty sure that JAMF has committed to keeping the open source/free version of NOMAD available.

NOMAD allows the PW to be sync'd, without being bound, and allows the user to update the local PW once, instead of a flood of keychain nags.

 

[Glidewill]

I am using the free version of NOMAD on about 70 machines, and it works wonderfully. A learning curve for users when they reset passwords, but the best solution I am aware of for this vexing issue.

Pretty sure that JAMF has committed to keeping the open source/free version of NOMAD available.

NOMAD allows the PW to be sync'd, without being bound, and allows the user to update the local PW once, instead of a flood of keychain nags.

I'm excited to try this setup, Thank you for your help!