I have users logging on to a Windows domain (authenticating with Active Directory) with OS X 10.5. They are logging in to their domain managed accounts, which require them to reset their password on a quarterly basis. Whenever their password changes, their keychain 'login' password does not reflect the change. The keychain 'login' password remains the same as it was before, so every time the system tries to access the keychain they have to input their old password.
The keychain preference "Set login keychain as default" is enabled, which is supposed to updated the keychain login password whenever the account password is changed. I know this works find with a local account, but is not working for domain accounts.
After a user's domain password has changed, they are regularly prompted for their keychain 'login' password whenever the system attempts to access their keychain. Each time one of these users' domain password changes, I have to have them go into Keychain Access and reset their 'login' password to the new domain password. Only then are they no longer prompted to regularly enter in they keychain 'login' pass.
It's not just when their passwords reset every quarter, either. Silly users tend to forget their passwords frequently, and we have to reset it for them. As the number of Macs on our network grow, this is becoming a bigger and bigger problem.
I've seen programs like Keychain Minder which prompt the user to update their keychain 'login' password when it's necessary, but this is still too confusing for our users, and it is likely to blow their minds. Besides, it seems to me that this shouldn't be necessary at all. Is there a better solution, so that the keychain 'login' pass automatically synching, properly, the way that I think it aught to when the user updates their domain password?
Also, suppose we were to implement Open Directory in the "golden triangle". Would OD handle this issue? (please don't tell me that it 'should', I need a definite yes or no).
Thank you.
Start Free Trial
