Applies To: Centrify DirectControl on Mac OS X
What is the expected behavior when an AD user’s password expires? Is there a way to allow them to still login with an expired password
when users are off the network?
Once the password for an AD user expires, the account is locked until the password is changed. The account will be locked regardless of
whether or not their machine is on the network. Therefore, the user will not be able to log back in until they connect to the network and
change their password.
This is expected behavior. Password credentials are cached, so once they expire or become locked, this account information is also cached.
There are two policy options that will allow login with expired accounts and also allow offline login of locked accounts. In order to use these
policy options, the following versions of Centrify software must be installed:
- Centrify Suite 2014 or higher (on the Windows AD side)
- Centrify DirectControl 5.1.3-482 or higher (on the Mac)
1. Allow offline login when user account is locked:
This policy option will allow or prohibit user login when user account is locked out and the machine is in disconnected mode.
The location of the policy "Allow offline login when user account is locked out” is located at Computer Configuration / Policies >
Centrify Settings > DirectControl Settings > Login Settings.
2. Prohibit authentication with expired password:
If the user's password has expired, allow or prohibit authentication to unlock screen saver. This will also prevent the user authenticating
via any padlock dialogs.
The policy to "Prohibit authentication with expired password" is located at User Configuration > Policies > Centrify Settings >
Mac OS X Settings > Security & Privacy
For additional information, please refer to KB-3397: How to update an AD password for a remote user on Mac OS X