Unable to change the AD User Account's password using Macbook after expiring the password.

Lucas_Daneil_Lewis 1 Reputation point
2023-05-27T14:46:38.7166667+00:00

Hi,

I have faced one issue related to password change. Please give me some advice and some time to read my explain. I will explain my environment.

We have a Hybrid AD Environment. DC is on-premises. DR is on the private cloud. On-premises users are synced to Azure. Among those users, there are users who use Mac books. In the AD environment, there is also a Radius Server used for Office Wifi authentication. One day, Macbook User's password expired. This user tries to update the password using the wifi prompt but the password changing attempt is not successful when updating the password using the wifi prompt.

Thanks,

Lucas

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,289 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,198 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2023-05-27T15:09:04.5633333+00:00

    Hello @Lucas_Daneil_Lewis !

    The issue you are facing is that the User is probably synced with the Windows AD , so the first thing to do is to update he Windows password with a new one , from the Local Domain

    The Radius is afterwards synced and then the WIFI Database in return!

    So advice the user to change - updateh their Domain password , wait for replication to happen and then he/she will be able to use the WIFI as well

    If Password Writeback is enabled for Hybrid , you can do it from the Cloud , at portal.office.com

    The Password Writeback feature allows the Sync of passwords from the Cloud to the Windows AD making it easier for users to maintain the Password change and /or password lock even password change if they have forgotten it!

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

    Remember it has to be activated to use it

    Once Windows AD is updated , Radius will also get the updated password

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.

  2. Konstantinos Passadis 17,456 Reputation points MVP
    2023-05-27T18:27:08.85+00:00

    Hello @Lucas_Daneil_Lewis !

    My suggestion is to connect over a LAN cable to the Domain and try again

    Do not use the WIFI as the Radius is the last one to be updated ( in a common setup)

    There is a chance the User got the account disabled if many attempts were made with wrong password . If you can check, from the Domain Controller, go to Windows AD Domains and Users , right click the user and check the if the account is disabled . Add a temp password and click the box User must change password at next login . Let the user know the temp password and then he/she will be notified - forced to change it.

    Last but not least , verify TIme is correct and synced on the MAC . If it is not , sync it .

    Open the system preferences.
    Click on the "date and time" icon

    Click on the first tab on the left (labeled date and time).

    You will see a checkbox that reads "set date and time automatically".
    Enter the IP address of your Server (or computer name, if you know that DNS is set right)

    Tell us how it went ! We are glad to help you fix this !

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  3. Konstantinos Passadis 17,456 Reputation points MVP
    2023-05-29T13:44:42.3366667+00:00

    Hello @Thura Htun , @Lucas_Daneil_Lewis !

    Ok i got it !

    I suspect Grouo Policy

    Do you have password expiration Policies in place ?

    Can you exclude from any GPO the specific MAC users ?

    It is for testing if it is not a problem

    Exlcude this user , restart MAC and re try a many times as you think it is probable to show the problem

    If the test passes , and retry again in 1-2 hours and passes again , we have to examine GPOs

    I am not sure how MACs are treated now , it was not GPO compatible

    What Servers are your DC ? Server 2016 ? 2012 R2 ? 2019 ?

    Please do the tests , and let me research a bit more , just exclude the MAC user from any Group Policy

    https://www.faqforge.com/windows-server-2016/exclude-user-computer-group-policy-object/

    Restart , and redo tests , see if the issue dissapears

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments No comments