How to change the password on an AD-bound Mac to match what’s already in AD

active-directorypassword

My Mac at work is bound to our Active Directory domain. It's managed with JAMF, and I have NoMAD installed.

The last time I came due for a password change (every sixty days), an unknown issue prevented me from executing the change from my Mac. Our IT folks couldn't figure out the issue, so I was forced to do my AD password change from a Windows PC elsewhere on the network. This left my Mac's login password, as well as my Keychain and Filevault passwords, the same as before.

As I understand it, NoMAD was supposed to detect that they were out of sync and automatically fix it for me, but that hasn't happened. I have not been able to determine why.

Our IT folks are Windows guys. One of them knows the Mac reasonably well, but he's not an expert in this area and he's stumped.

This was all 56 days ago, so I'm about due to change my password again. I tried to do it in System Preferences -> Users & Groups, which is my normal method, but it fails with the same mysterious error I got last time — it says the server is not available.

error message showing server unavailable

As far as I can tell, the server is available. But this isn't the point.

When that failed, I tried changing with NoMAD, but I can't. The error message is the generic "local password doesn't meet policy requirements", and I assume it's because my local password isn't the same as the one in AD, so when it tries to confirm my old password, it can only succeed for one of the two backing systems. I've tried both old passwords; same error.

So, my question: What, if anything, can I do to update my Mac's local, keychain, and Filevault passwords that will not try to update AD?

Things I've tried:

  1. Users & Groups sysprefpane, as described above
  2. Changing with NoMAD, as described above

  3. Using passwd at the terminal. Same results for both old passwords:

    % ~ passwd
Changing password for jrobb.
Old Password:
New Password:
Retype New Password:
passwd: general failure

  4. Repeat #1 while disconnected from the network. Same "server is not available" message — and this time I believe it!

  5. Repeat #2 while disconnected from the network. Same "local password doesn't meet policy requirements" as before.

If it matters, I'm running 10.14.6.

UPDATE: After unbinding and re-binding my Mac to the AD domain, my Mac's password was sync'd up with AD. But then I encountered the same "server is not available" error when trying to change the password from Users & Groups, forcing me to use another method to update my AD password, and now they're out of sync again. ?

Best Answer

As I understand it, the correct way to change domain passwords should be kpasswd, which should update both local computer and domain passwords.

Note that I'm not in a position to test this right now, but something like:

> kpasswd myusername@FULLADDOMAIN.COM
myusername@FULLADDOMAIN.COM's Password: 
New password for myusername@FULLADDOMAIN.COM: 
Verify password - New password for myusername@FULLADDOMAIN.COM: 
Success

I'll try and test this out and update this post.

Related Question