One of the situations we deal with a lot at my company is name changes due to marriages/domestic partnerships. Recently we had to perform a name change for one of our Mac users. This entails changing the following in Active Directory among other things:
- Common Name (e.g. John Doe
- Display Name (e.g John Doe)
- samAccountName (e.g. jdoe)
- userPrincipalName (e.g. jdoe@domain.net)
What we noticed is that our Active Directory bound macs won’t update the changed username of an account if it is set up as a mobile account in OSX. A mobile account allows offline logins of network accounts by caching login credentials and is turned off by default. From what I can tell this is due to the fact that once the mobile account caches the AD login information it doesn’t change it. This results in the user not being able to login in under either the old or new username on a Mac in which the user has logged into with a mobile account before the name change. Any new logins/mobile account creations work fine on any other AD bound Mac. After some research this is the best method we can across to force this change:
- Enable the root account if it is not already enabled
- In 10.5-10.7 open the “Directory Utility” either from System\Library\CoreServices or System Preferences -> Accounts -> Login Options -> Edit -> Open Directory Utility
- From the “edit” menu choose “Enable Root User”
- Enter in the a password for the root account
- Log out and login as root
- Once logged in turn on hidden files from the terminal
-
defaults write com.apple.finder AppleShowAllFiles true/false
-
killall Finder
- Browse to /var/db/dslocal/nodes/Default/users
- Look for the plist file associated with the old user account
- Make a copy on the desktop just to be safe
- Rename the file to match the new user name
- Do a find/replace to change the user name
- Save the plist file
- Go to the Users folder and update the name of the home folder
- From the terminal run the following command to verify that the new plist file is recognized
-
Dscl . list users
- If not then double-check the plist file name
- Log out and then login under the new account name and verify everything works.
- You may also need to reset the Keychain as well.
- Go back to the “Directory Utility” and disable the root account
This is good information. What I’m seeking, however, is a way to force the Mac to reset its keychain when(ever) a user has changed their AD password. Currently if a user changes their password in AD they are still required to sign into their Mac using the old password. I can fix that case-by-case, but I’d like a more general solution so I don’t have to fix this each time a user changes a password. Thoughts?
Technically you shouldn’t run into the issue if you are using 10.6+ and the macs are AD bound. If that’s the case have the users change their password via the OSX login screen once the password is expired. This will trigger at the login screen the next time they attempt to login. They will get an alert stating the password is expired and will be prompted to change it. Once changed, the new password is supposed to register in the Key Chain. Personally it seems to be hit or miss in my environment, and when it doesn’t work we usually delete the entire Key chain. You might be able to script a better method using Puppet, but I don’t have any experience using it (it;s only my rainy day learning list)