Unable to change the AD User Account's password using Macbook after expiring the password.

Question

Hi,

I have faced one issue related to password change. Please give me some advice and some time to read my explain. I will explain my environment.

We have a Hybrid AD Environment. DC is on-premises. DR is on the private cloud. On-premises users are synced to Azure. Among those users, there are users who use Mac books. In the AD environment, there is also a Radius Server used for Office Wifi authentication. One day, Macbook User's password expired. This user tries to update the password using the wifi prompt but the password changing attempt is not successful when updating the password using the wifi prompt.

Thanks,

Lucas

Answer 1

Hello @Lucas_Daneil_Lewis !

The issue you are facing is that the User is probably synced with the Windows AD , so the first thing to do is to update he Windows password with a new one , from the Local Domain

The Radius is afterwards synced and then the WIFI Database in return!

So advice the user to change - updateh their Domain password , wait for replication to happen and then he/she will be able to use the WIFI as well

If Password Writeback is enabled for Hybrid , you can do it from the Cloud , at portal.office.com

The Password Writeback feature allows the Sync of passwords from the Cloud to the Windows AD making it easier for users to maintain the Password change and /or password lock even password change if they have forgotten it!

https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Remember it has to be activated to use it

Once Windows AD is updated , Radius will also get the updated password

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hello @Lucas_Daneil_Lewis !

My suggestion is to connect over a LAN cable to the Domain and try again

Do not use the WIFI as the Radius is the last one to be updated ( in a common setup)

There is a chance the User got the account disabled if many attempts were made with wrong password . If you can check, from the Domain Controller, go to Windows AD Domains and Users , right click the user and check the if the account is disabled . Add a temp password and click the box User must change password at next login . Let the user know the temp password and then he/she will be notified - forced to change it.

Last but not least , verify TIme is correct and synced on the MAC . If it is not , sync it .

Open the system preferences.
Click on the "date and time" icon

Click on the first tab on the left (labeled date and time).

You will see a checkbox that reads "set date and time automatically".
Enter the IP address of your Server (or computer name, if you know that DNS is set right)

Tell us how it went ! We are glad to help you fix this !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 3

Hello @Thura Htun , @Lucas_Daneil_Lewis !

Ok i got it !

I suspect Grouo Policy

Do you have password expiration Policies in place ?

Can you exclude from any GPO the specific MAC users ?

It is for testing if it is not a problem

Exlcude this user , restart MAC and re try a many times as you think it is probable to show the problem

If the test passes , and retry again in 1-2 hours and passes again , we have to examine GPOs

I am not sure how MACs are treated now , it was not GPO compatible

What Servers are your DC ? Server 2016 ? 2012 R2 ? 2019 ?

Please do the tests , and let me research a bit more , just exclude the MAC user from any Group Policy

https://www.faqforge.com/windows-server-2016/exclude-user-computer-group-policy-object/

Restart , and redo tests , see if the issue dissapears

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards