Mountain Lion – Password Expiration for OS X Bound to Active Directory

(1) The only notification on the newer Mac OS releases is a prompt at the login screen once you successfully authenticate. As it starts to login it receives the notification from AD that your password is set to expire in X number of days. For instance, if AD is set to remind users of their password expiration 10 days before it expires then the prompt will be along the lines of "Your password is set to expire in 10 days. Click change password to change your password or continue to continue logging in."

If you click continue you will continue logging in and you can change your password later. If you click change password you will be prompted to enter a new AD password. This will update your mobile user accounts password as well, however it will NOT update your keychain password or other passwords stored within your account. The Mac OS basically treats this like a password reset from outside of the system, just like it would if you reset the password from your recovery partition. Once you've logged in you will need to update your login.keychain (and now with Mavericks, your local/iCloud.keychain) password to match the new password. While you're in keychain it would be smart to update any of your saved entries for the old password as well.

(2) I don't think this is correct, although this could be the case if you were not connected to your office network. Updating through System Preferences > Users & Groups > Change Password is actually my preferred method for our users to update their passwords. This process updates the AD password, the local/mobile account password as well as the keychain passwords. The only thing our users have to do afterwards is update their Outlook and phone system password entries in their login.keychain and on their iPads & iPhones. This process only works when you're connected to the network where your Active Directory resides. When my users are outside of our network (away from the office) they can change their passwords using the option in Microsoft Outlook Web Access. This is also the only place they'll receive the password expiring in X number of days warning when they're outside of the network. When they come back to the office they will need to login while connected to the network in order to update the password, then update their keychain password.

So my recommended method for our users is this.

If you're in the office:

• Click continue to login without changing your password
• Put your iPad and/or iPhone into Airplane Mode (to prevent account lockout during the process)
• Open System Preferences > Users & Groups, select your account and click Change Password
• Open Keychain Access (Applications/Utilities) and find the entry for your Exchange account. Double click it to open and change the stored password. Repeat this for our phone system (it uses AD credentials) entry in keychain.
• On your iPad and/or iPhone, go to Mail, Contacts & Calendars > Work Account > Account and enter your new password. Disable Airplane Mode once you're finished.

If you're away from the office and it can't wait:

• Put your iPad and/or iPhone into Airplane Mode (to prevent account lockout during the process)
• Login to Outlook Web Access
• Click on Options > Password, change your password
• Open Keychain Access (Applications/Utilities) and find the entry for your Exchange account. Double click it to open and change the stored password. Repeat this for our phone system (it uses AD credentials) entry in keychain.
• On your iPad and/or iPhone, go to Mail, Contacts & Calendars > Work Account > Account and enter your new password. Disable Airplane Mode once you're finished.
• Login to your user account when you're back in the office.
• Update your keychain password once you've logged in by opening Keychain Access and clicking Edit > Change password for "login keychain"