You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Unable to log into Macbook after resetting Active Directory password

Hello, we had a user recently reset their domain password via Active Directory, and ever since then, they've had a lot of login trouble but only with the initial macOS login screen on their domain-joined Macbook. At first, only their old password was accepted. After I removed the Macbook and rejoined it to the domain, their new password was accepted and all seemed fine. The next day though, neither of their passwords (new or old) are being accepted. This person works remotely today too which makes this extra challenging. Does anyone have any suggestions or know what I might be missing here?

Posted on Aug 22, 2024 5:52 AM

Reply
7 replies

Aug 22, 2024 6:17 AM in response to sventek_

Thanks for the speedy reply!


The user is offsite. I was able to get him logged in just now, but it seems we're still running into issues with Keychain and iCloud.


To get him logged in, I asked him to first click on his portrait icon at the login prompt, then choose the option to log in as another user. Luckily, we had a local account that was previously created on this Macbook and I remembered the username and password. After that, he confirmed the Macbook was connected to his home WiFi, logged out, and then successfully logged back into his profile with his new password. Not sure why that worked, but I assume it was the communication between his Macbook and our MDM and/or Active Directory. After he logged in, he received an error about a keychain password but didn't grab a screenshot. Additionally, iCloud seems to have prompted him for his password and when he entered it in, he received a message stating his iCloud account would be locked for about 3 hours. He's now worried about locking his screen at all for fear of being unable to log back in again which is understandable.


I was reading here that we may be able to resolve the issue by resetting his Keychain, but that there may be risks involved and to not do it unless instructed to do so by Apple Support. I'm still looking into it, but appreciate your help so far. Have any further advice here?

Aug 22, 2024 8:05 AM in response to sventek_

Few updates:

  • We use Apple Business Manager to automate parts of the MDM enrollment, but officially Workspace ONE UEM (formerly AirWatch) is our MDM.
  • He sent me a screenshot just now of his Users & Groups settings and it appears that his user account is still listed as a Mobile account.
  • He also tried logging out, and when he tried logging back in, he received a message stating that his account would be locked for 3 hours. We used the same workaround as before where we logged him into the local account, logged out, and then logged back in with his domain account successfully. No idea why that works.
  • He says he doesn't use Keychain but he does use iCloud. He initially received a pop-up or something from iCloud stating the next failed login would be 3 hours. I'm wondering if this is our culprit?

Aug 22, 2024 8:58 AM in response to sventek_

Oh nice, thanks you too! I'm not 100% familiar with our setup yet, but I do know the company wants to move away from AirWatch soon and I'm assuming it's due to the switch from VMware to Broadcom. That'll be a fun project!


To answer your questions:

  • Checked ADAuditPlus and confirmed his domain account hasn't been locked in at least 30 days.
  • Yeah maybe but we did receive confirmation that it's his iCloud account that's being locked. Unless I'm simply selecting the wrong target within this tool, it looks like this only showed us lockouts for his domain account across various domain controllers.
  • I asked him to try revoking sessions via iCloud.com and office.com when he has a moment so we'll see


I'm sure this is a syncing problem somewhere though. He's able to log into pretty much anything else with his domain username and password (new password). I feel like this has to be something cached locally, or hidden within his iCloud account. Do you happen to know if keychain automatically stores passwords saved to iCloud?

Aug 22, 2024 5:59 AM in response to Swanathon

The enduser's laptop might not have a way to receive updated changes from AD. If the user is onsite, do they have the issue?


You might have to install a VPN on the Mac so that it can communicate back to your on premise active directory. Without a tunnel back to your network, the Mac has no idea that a password has been changed. This is why an old password still works after changing it in AD.

Aug 22, 2024 8:20 AM in response to Swanathon

We use Apple Business Manager to automate parts of the MDM enrollment, but officially Workspace ONE UEM (formerly AirWatch) is our MDM.

Hey, cool, I am in the process of moving off of AirWatch and over to ABM myself =)

Hopefully it goes smoothly.


Thanks for checking on the Mobile account.


One question to maybe narrow down our list of possible reasons for this... is he being locked out of his AD account or the Apple ID?


Microsoft has a good tool for looking at locked accounts, the Account Lockout Status tool: https://www.microsoft.com/en-gb/download/details.aspx?id=15201

This probably wont be much help if the Apple ID is being locked however.



Another thing to try is revoking all tokens and active sessions via both iCloud and office.com. An old session might be causing this hangup.

Aug 22, 2024 10:21 AM in response to Swanathon

Do you happen to know if keychain automatically stores passwords saved to iCloud?

So, I don't think Keychain just throws passwords in there automatically, but it DOES ask you when you sign in to something if you'd like to store this password in Keychain. Which the user would then have to confirm storage of said password.


Apologies for any ignorance on this matter.

Unable to log into Macbook after resetting Active Directory password

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.