I have several Macs bound to a Windows domain with AD. The users login to the Macs with their Windows credentials and so far it has worked fine. Last week we changed the password policy so that password lifetime is now reduced. Since then two users (out of 100-something) have problems logging in to the Macs. One user keeps getting keychain-messages about Keychain not being able to access this and that (have updated the keychain-login). The other user can't log in at all. She keeps getting refused as if she had typed a bad password or username. She uses the same credentials on the PCs as she is using on the Macs, but the Macs just won't let her in. Does anyone have any ideas to solve this problem?
MacOS – User can’t login to AD bound Mac
keychainloginmacmacos
Best Answer
My 5c from my AD experience long ago...
Let me guess: the user which can't get in at all has changed her password on Windows due to the new password policy. And she tries to login to the Mac with her new password and that doesn't work.
For me, this sounds to me that this is a problem of an authentication cache or AD replication problem. To verify this, could you ask her to try the login on the Mac with her old password? If that is the case, her changed PW has not been synched to the Mac bound AD.
How is the Mac configured? Did you attach it to a specific AD? Could you check this AD server in the event log for replication or quorum errors or for login errors of this particular user? Any hints from the Mac logfiles pointing to an authentication error?
Next idea would be to check her password, if she uses special chars which are on a Mac's forbidden character list (Colon etc.) But this is just a wild guess. You could try this by manually setting her PW as administrator on the AD server to some trivial stuff and let her try the login again.