Active Directory and mobility
Directory services can hold vast amounts of sensitive data and should be kept secure. Almost always, querying the service is restricted to trusted devices on trusted networks. This means that remote computers such as laptops require an active VPN connection to access the directory service.
Locally cached credentials
Mobile user accounts cache the user’s information, including their password, so the user can log in to the Mac when it’s disconnected from the organization’s network. Changes made in the directory service won’t be updated on the Mac until it reconnects to the organization’s network.
Changing a mobile account password
To change a mobile user account password on a Mac that’s bound to the directory service, open System Preferences, then click Users & Groups while the computer is connected to the directory service.
To verify connectivity to the directory service, click Login Options in the sidebar of the Users & Groups preference pane, then check the Network Account Server field. A green indicator means the directory service is available. Select the mobile user account in the sidebar, then click the Change Password button.
This process ensures that the user account password is changed in three locations:
The remote directory service
The locally cached credential store (/private/var/db/dslocal/)
The user’s login keychain data store
The login keychain is an encrypted data store in the user’s home folder that contains sensitive information such as app and Internet passwords, as well as user certificate identities. By default, the password to decrypt this data store is the same as the user account password, and it’s automatically unlocked at login.
If the network account password is changed while a Mac isn’t actively connected to the directory service, it’s only changed in the locally cached credential store. When the user reconnects to the directory service and logs in, the remote directory service is updated and the Mac is unable to unlock the login keychain. The user must provide the previous password and the new password to update the login keychain data store. If the user can’t provide the previous password, there’s an option to create a new login keychain.
With local-only accounts, a password policy can be applied with a configuration profile. This ensures organizational policy compliance while simplifying synchronization of the login keychain and the user account password.