Mac IT Guy: password prompts
I’m a volunteer systems administrator for my church. We have a mix of PCs and Macs (desktops and laptops). My question is about Active Directory and user passwords: Is there an easy way to prompt the Mac users to reset their Active Directory passwords before those passwords expire? Our AD polices require password changes But because the Mac users are not prompted, their passwords often expire and need to be manually reset. Does Outlook 2011 support such notifications? Are there other alternatives?
You can do it, but only if a few conditions are met:
First, they do have to be bound to Active Directory. In Mac OS X 10.5, this worked only for Active Directory; it wasn’t until 10.6 that it also worked with Apple’s Open Directory. Because Macs don’t have all the Active Directory functionality of Windows clients, I like to keep them in their own organizational units (OUs) or containers (CNs). That allows me to more easily manage them within Active Directory.
Second, your users must be logging in with Active Directory accounts. If you think about it, this makes sense; otherwise, how would Active Directory know that their passwords is hitting the expiration period? I know it tripped me up a few times when I was first trying to get Mac OS X and Active Directory to play well together
Finally, make sure that the Group Policies that manage password expiration are actually being applied to the Macs and/or the Mac users. Again, you might assume this is true even if it isn’t.
Even if you set up all of the above, there are still some caveats: For one thing, Mac OS X can only notify users of impending password expirations at the login window. I think it’s silly that OS X can’t do what Windows does and pop up a warning notice that says, “Hey, your password just expired.” This is something I’ve been on Apple about for a few years now, and I’ve filed a bug or two with them about it.
Anothe potential problem is that the only OS-provided user interface for changing an Active Directlry password is in the login window or in Kerberos.app (in Mac OS X 10.5) or Ticket Viewer (in Mac OS X 10.6); both are found in /System/Library/CoreServices. The advantage to using the login window is that changing the password there also changes the login password in the user’s Keychain.
[John Welch is IT Director for The Zimmerman Agency, and a long-time Mac IT pundit. Have a question about Macs and IT? E-mail us at macitguy [at] macworld dot com.]