Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4339: Password expiration and locked account behavior on Mac OS X

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies To: Centrify DirectControl on Mac OS X


What is the expected behavior when an AD user’s password expires? Is there a way to allow them to still login with an expired password
when users are off the network?


Once the password for an AD user expires, the account is locked until the password is changed. The account will be locked regardless of
whether or not their machine is on the network. Therefore, the user will not be able to log back in until they connect to the network and
change their password.

This is expected behavior. Password credentials are cached, so once they expire or become locked, this account information is also cached.


There are two policy options that will allow login with expired accounts and also allow offline login of locked accounts. In order to use these 
policy options, the following versions of Centrify software must be installed:

- Centrify Suite 2014 or higher (on the Windows AD side)

- Centrify DirectControl 5.1.3-482 or higher (on the Mac)

1. Allow offline login when user account is locked:

This policy option will allow or prohibit user login when user account is locked out and the machine is in disconnected mode.

The location of the policy "Allow offline login when user account is locked out” is located at Computer Configuration / Policies >
Centrify Settings > DirectControl Settings > Login Settings. 

2. Prohibit authentication with expired password:

If the user's password has expired, allow or prohibit authentication to unlock screen saver. This will also prevent the user authenticating
via any padlock dialogs.

The policy to "Prohibit authentication with expired password" is located at User Configuration > Policies > Centrify Settings >
Mac OS X Settings > Security & Privacy

For additional information, please refer to KB-3397: How to update an AD password for a remote user on Mac OS X


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles