We've been trying to figure out this issue for a long time, but haven't had any luck. I have two examples of related issues.
Our environment consists of an Apple server that has many user accounts on it (50+). We have 20+ iMacs updated to Sierra 10.12.4 that users can log in to with these network accounts. The issue we're having is that certain passwords are being saved to these accounts' "Local Items" keychain.
For example, if I type in a mail password for user Bill at Desk 7, it will save to the Local Items keychain. Any time Bill sits at Desk 7, his mail will work without having to type in a password again. But if Bill moves to Desk 8, we have to type in his password again. With 50+ users at 20+ gets, that's 1000+ times we have to type in a password for someone. Originally, this wasn't a problem…I believe prior to Yosemite, Mail saved and checked those passwords in the Login keychain, which travels with the user no matter what desk they log in at. The Local Item keychain does not travel with the user; it is local based on what desk they sit at.
With Sierra, another app is saving to the Local Items keychain. Our users have SSH-keys created for their some ssh logins. Originally, these saved to the Login keychain, and now they save to Local Items. Same problem. We have to re-type in the passphrase tied to the SHH-key at every individual desk in order for their ssh accounts to log in automatically.
So I ask you, is there a better way to do this? It would save us a lot of micro-management if there was.
(New user, so if there is a better place to ask this, please let me know.)
Best Answer
We were encountering the same issue. Although we did not have any SSH payloads for the users, we do have Apple Mail setup for them.
After having a panic attack over the confusion wrought by this keychain change, I decided to use Profile Manager on the OD Server (ours is OSX) to configure the Apple Mail payloads (for individual users/ user-groups).
I believe it's possible to configure SSH Payloads in this manner as well. Apple seems to be relegating more and more functionality into PM akin to Group Policy on Windows.