When a Mac user tries to change his password, he may run into an issue where it fails even though it does meet the complexity requirements. What troubleshooting steps can an administrator take?
1. To take the complexity requirements out of the equation, administrator can start troubleshooting the issue by generating a new password and have the end user try it. As a reminder if the policy "Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Password must meet complexity requirements" is enabled, passwords must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
2. One of the policies to look for that can prevent users from changing their password is the following one: "Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Minimum password age". If it is enabled and for example set to 1, the user will have to wait 24 hours after a password change before he can change it again. This requirement is easy to miss and would be most likely the issue if the password generated step #1 was not accepted. To verify when it was changed the last time, there are 3 ways:
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Complexity requirements are enforced when passwords are changed or created.
a. On the Mac:
Administrator can have the end user run: $ adquery user -A username
And look for: "nextPasswordChange" & "lastPasswordChange:"
b. On a Domain Control:
nextPasswordChange:Wed May 25 08:47:02 2016
lastPasswordChange:Tue May 24 08:47:02 2016
unixGroups:denied rodc password replication group,domain admins,domain users,enterprise admins,mac admins,domain,schema admins
memberOf:domain.com/Users/Denied RODC Password Replication Group,domain.com/Users/Domain Admins,domain.com/Users/Domain Users,domain.com/Users/Enterprise Admins,domain.com/Users/Mac admins,domain.com/Users/domain,domain.com/Users/Schema Admins
The administrator can run the following command: >net user username
c. In the Debug logs collected by Centrify Support, via the MacDiagnosticTool, in the "ALL_USER_Info.txt" file, look for the username:
Then look for: "Password last set" & "Password changeable"
User name username
Full Name username
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/24/2016 8:47:02 AM
Password expires Never
Password changeable 5/25/2016 8:47:02 AM
Password required Yes
User may change password Yes
Workstations allowed All
Last logon 5/24/2016 8:47:02 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users *Domain Admins
*Domain *Mac admins
*Enterprise Admins *Schema Admins
The command completed successfully.
3. If there is no "Minimum password age" policy set up, the next step will be to have the user try to change his password on a Windows machine. If it fails there, this is most likely something related to that AD user (account being locked out, account or password being expired, ...)
username:nextPasswordChange:Wed May 25 8:47:02 2016
username:lastPasswordChange:Tue May 24 8:47:02 2016
4. If the user is still having issues when attempting to change the password the next day (or after the admin set the "Minimum password age" policy to 0), please contact Support. A network trace (tcpdump) and debug logs will most likely be needed.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.