Active Directory and mobility on Mac
Directory services can hold vast amounts of sensitive data and should be kept secure. Almost always, querying the service is restricted to trusted devices on trusted networks. This means that remote computers such as laptops require an active VPN connection to access the directory service.
Locally cached credentials
Mobile user accounts cache the user’s information, including their password, so the user can log in to the Mac when it’s disconnected from the organization’s network. Changes made in the directory service won’t be updated on the Mac until it reconnects to the organization’s network.
Changing a mobile account password
To change a mobile user account password on a Mac that’s bound to the directory service, choose Apple menu > System Settings, then click Users & Groups in the sidebar, while the computer is connected to the directory service.
To verify connectivity to the directory service, review “Network account server” on the right. A green indicator means the directory service is available. Click the Info button next to the mobile user account, then click Change Password.
This process ensures that the user account password is changed in three locations:
The remote directory service
The locally cached credential store (/private/var/db/dslocal/)
The user’s login keychain data store
The login keychain is an encrypted data store in the user’s home folder that contains sensitive information such as app and internet passwords, as well as user certificate identities. By default, the password to decrypt this data store is the same as the user account password, and it’s automatically unlocked at login.
If the network account password is changed while a Mac isn’t actively connected to the directory service, it’s only changed in the locally cached credential store. When the user reconnects to the directory service and logs in, the remote directory service is updated and the Mac is unable to unlock the login keychain. The user must provide the previous password and the new password to update the login keychain data store. If the user can’t provide the previous password, there’s an option to create a new login keychain.
With local-only accounts, a password policy can be applied with a configuration profile. This ensures organizational policy compliance while simplifying synchronization of the login keychain and the user account password.