My current work environment consists of mostly Macs authenticating against a MS Active Directory server (see my earlier post all about Joining Mac systems to Active Directory). One of the disadvantages of this setup – one that has prevented me from rolling out an agency-wide password expiration policy – is the fact that, when a user updates their AD-based password, Mac OS X, by default, doesn’t know how to automatically update the passwords that protect the users keychain.
As a result, the user logs on to the system using their AD password and is immediately challenged for their old password during the startup process in order to open up the system keychains.
In the process of revisiting this issue earlier today, I stumbled on to a post on the Apple Support Forums that, I think,is the solution.
- Open Keychain Access (located in Applications/Utilities)
- Go to the “Keychain Access” menu and select “Preferences”
- Click the “First Aid” tab
- Make sure the “Synchronize login keychain password” box is checked
- Close the Preferences window
- Go to the “Keychain Access” menu and select “Keychain First Aid”
- Enter your username and password
- Click the “Repair” button
This should get the login and keychain passwords back in sync and, going forward, changing the login password should automatically filter through to the keychain password (now that the “Synchronize login keychain password” box is active).