Updating Active Directory passwords for Mac users can be a nightmare both to endusers and IT. Centrify provides several ways to help prevent the dreaded Keychain prompts from appearing.
Password expiration reminder
When a Mac user's Active Directory password is about to expire, the Centrify Agent will notify the user every time the user logs in or unlocks the screensaver, everyday until the user updates their password. By default the user will start being notified 14 days before their password expiration. When the user clicks on the "Yes" button to update their password, the user is directed to System Preferences > Users & Groups, which will update their AD password and Keychain simultaneously.
Password reset integration
When the user's Active Directory password has expired or they need to change their password at the next logon, Centrify integrates with the the password reset prompt to update both their AD password and Keychain simultaneously.
Auto-create new login Keychain
In the scenarios when the user forgets their Active Directory password or the user's password was not changed through the Mac, the user will see the message, after logging into their Mac, “the system was unable to unlock your login keychain”. Centrify provides an optional group policy setting that will automatically create a new login Keychain, preventing the user from experiencing the never ending Keychain prompts to enter their old password to update the login Keychain. This policy is disabled by default.
To enable this policy:
Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy Settings > Auto Generate New Login Keychain
The policy will apply at the next group policy update interval, else run adgpupdate in Terminal on the Mac.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.