t3HW41ru5 (3rd October 2011)
Strange problem...dont know if this is something general or something wrong in our setup.
All our macs are bound to AD. Log on fine, but when a password expires, or we set it to change on next logon in AD, it wont let a user change it when they log onto a Mac. It brings up all the right boxes, says you need to change your password, but whatever you write and confirm, the box just shakes.
Log onto a Windows box and its fine.
I will look into it more, more than likely some error is being logged on the client, but just wondered if anyone else has come across this?
Password changes are quite broken on 10.5 and completely broken on 10.4
No idea how 10.6 is doing. Rebooting the client after the change can help.
Ah well thats sort of good news then, at least we're not doing anything wrong!
Running 10.5 here
If you use key chain minder 1.3 for tiger:
AFP548 - Keychain Minder 1.3
key chain minder 1.5 ppc / intel binary :
AFP548 - Keychain Minder 1.5
as per the 2nd last post here
Change a Mac User's AD Password from OS X? - Topic Powered by Social Strata
does that help at all - obviously you need to make it a startup itemI run about 60 AD connected Macs and I haven't been able to get password change to work reliably with 10.3.9.
Tiger clients work well, but I've pretty much given up on the 10.3 clients and we're updating them to 10.4. AD integration functionality is a big reason for this.
Keychain Minder is great for making sure that AD and Keychain passwords stay in sync. Put it in StartUp Items.
I also saw mentions of going into system preferences --> user account pane to change the password , not sure if that makes any difference but obviously if you have changed there password before they login and set it to automatically change password at logon not sure how you would fix that aside from obviously logging into a pc and changing the password and going from there.
For Snow Leopard I have found the below ( also per pdf attached )
Sync the keychain passphrase with the login account password in Snow Leopard | Jaharmi?s Irreality
Last edited by mac_shinobi; 23rd February 2010 at 02:46 PM.
The password change happens before log-on so is unaffected by the keychain. It's the AD directory client that is broken.
Sorry to reopen an old thread (I know it's frowned upon) but I am having the same problems here with the macs at my school. We are running 10.6.2 and I've just had one class login perfectly, no problem at all, then the next class all of them got a message telling them to change their passwords and giving them a change password option. When they tried to change the password, the box just shakes.
I'm wondering has this issue been addressed in Snow Leopard or is it still broken as this will affect (and break) our whole networking "golden triangle" model, pretty much making the macs unpredictable and almost useless. No one wants to use a classroom if one day students can log in and then next they can't.
Does anyone have any ideas how to fix this or 3rd party programs to fix the AD directory client that is broken (as DMcCoy said above) ?
This is rather urgent :-/
Thank you very much
Like Jamie Klein, sorry to open up an old thread, but I'm in the same boat. I am running majority Mac environment, all with OSX 10.6 I get the same problem as sidewinder, and I am completely lost as to what to do. The only thing my searches have brought up regarding this issue is its some sort of Kerberos error involving time, but I've seen a lot of those errors before, and they usually throw an actual error. This just makes the box shake and refuses to accept the password change.
The Macs will login fine as long as I do not say "Force User to Change Password". However, the moment I check that in AD, and I try to login on the mac, it takes me to the right screen to change the password, but it does let me actually change it, the screen just shakes.
Bit desperate here so anything anyone may know about this would be a huge help and the person would have my eternal gratitude.
Right after I posted this, I got an answer from one of the SysAdmins in our office. It turns out my searches telling me Time Sync was to blame proved to be correct. The issue was that the Windows Server was off by 4 minutes from time.windows.com. Since time.apple.com and time.windows.com actually pull from the same source, it should be the same. I had done some tests on my local machine to see about this error, but nothing I did seemed to change the time on my local machine. I asked one of our SysAdmin's here in the office to look into it with me, and they were able to resync the windows server using commands found here:
You will need to have Command Prompt running in Administrator to pull this off. Once I resynced the time, it allowed users to change their passwords fine. This answer may not apply to everyone, but figured I'd try to offer what I can. Thanks!
There are currently 1 users browsing this thread. (0 members and 1 guests)