We run the Casper Suite to control our Macs at work, and we are using folder re-direction for our conference room machines (for the users’ home directories). Since all of these machines are Active Directory members and users do change their passwords (quite frequently per policy), we have issues when folks attempt to log into a conference room machine after they have changed their passwords.
The real trouble seems to be that Apple hasn’t quite readied the Mac OS for full enterprise AD integration. Though the Macs are members and though a user is able to log in using network credentials, once those credentials are cached the OS doesn’t like to check with AD when the credentials offered by the user are not matched with those cached in the keychain.
I created a Self Service script which simply removes the entire keychain folder for the then logged-in user. If there is a less heavy-handed solution to this matter I have not yet found it. Here is that script for entertainment.
## ## Conference Room Keychain Fix #!/bin/bash ## Delete user's Keychains folder (located in redirected home directory's Library folder) username=$(stat -f %Su /dev/console) rm -R /home/"$username"/Library/Keychains/ exit ##
I hope you find this useful and expedient.