× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

Re: Escaping the Mac Keychain nightmare

Escaping the Mac Keychain nightmare

By Centrify Advisor II 3 weeks ago

Updating Active Directory passwords for Mac users can be a nightmare both to endusers and IT. Centrify provides several ways to help prevent the dreaded Keychain prompts from appearing.


Password expiration reminder




When a Mac user's Active Directory password is about to expire, the Centrify Agent will notify the user every time the user logs in or unlocks the screensaver, everyday until the user updates their password. By default the user will start being notified 14 days before their password expiration. When the user clicks on the "Yes" button to update their password, the user is directed to System Preferences > Users & Groups, which will update their AD password and Keychain simultaneously. 


Password reset integration




When the user's Active Directory password has expired or they need to change their password at the next logon, Centrify integrates with the the password reset prompt to update both their AD password and Keychain simultaneously. 



Auto-create new login Keychain



In the scenarios when the user forgets their Active Directory password or the user's password was not changed through the Mac, the user will see the message, after logging into their Mac, “the system was unable to unlock your login keychain”. Centrify provides an optional group policy setting that will automatically create a new login Keychain, preventing the user from experiencing the never ending Keychain prompts to enter their old password to update the login Keychain. This policy is disabled by default.


To enable this policy:

Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy Settings > Auto Generate New Login Keychain


Keychain PO.png


The policy will apply at the next group policy update interval, else run adgpupdate in Terminal on the Mac.




By PradeepG
3 weeks ago

Thanks for the information. But what do you mean by login to MAC without centrify and with Centrify?


By Centrify Advisor II
2 weeks ago

> But what do you mean by login to MAC without centrify and with Centrify?


Hi PradeepG,


"Without Centrify" generally means if you bound your MAc to AD without using the Centrify agent, but the behavior in the video cn also apply if you did not enable the GPO setting to "Auto Generate New Login Keychain".


The Mac OS can natively bind to Active Directory, but Centrify provides more functionality such as notifying Macs when their AD passwords are about to expire and push down hundreds of GPO settings such as automatically creating a new Login Keychain as demonstrated in the video.

By EnriqueG

I do not see Auto Generate New Logon Key Chain in the Group polcy editor. do I have to load a new template? I currently have Centrify Server Suite 5.3.3 

By Centrify Advisor II
Monday - last edited Monday

Hi EnriqueG,


Yes, you will need are:

1. 5.4 Agent or higher

2. Centrify Server Suite 2017 Mac Console or higher.

   a) Reload the GPO templates.


By EnriqueG

 Thank you!

Showing results for 
Search instead for 
Do you mean 

Community Control Panel