How can Mac users change their Windows Active Directory passwords over a VPN connection?

In our office, we are running some Windows servers running an Active Directory domain . We've got a a number of security policies that we enforce, including a 180 day password expiration policy. Everybody in the company has a laptop that is joined to the domain, a mix of Win7 and Macbook Pro's (Mountain Lion or Lion). Every users domain login is used to log in to their laptops as well as a few corporate resources, including Cisco VPN connection when away from the office.

When the expiration date comes up, it's not a problem for most users. They come in to the office, get the expiration notice, and change their password at login or via the usual change password options for Win7 or OS X.

The problem comes for the handful of office users who are permanently remote. Specifically the Mac users. I've found several ways for users to be notified of an expiring password (scripts+email, adpassmon, etc). The problem is the actual password change. The Windows users can VPN in, hit Ctrl-Alt-Del, change their password and everything is updated and fine. If a Mac VPN's in and tries to change their password, they just get the "password was not changed" message ("your system administrator may not allow you to change your password or there was some other problem with your password...").

Anyone know why, or have a solution for this? I know I could have users VPN in and Remote Desktop to another machine to change their passwords, but this will play havoc with the local machines keychain, as well as sudo privileges, which might just get worse the next time they visit the office.

edit: I should clarify that one of the issues seems to be that even with an active vpn connection, OS X doesn't seem to try and communicate/authenticate against the AD servers (just keeps using cached credentials), even when a password change has been attempted. So even if a password is changed via some external method (OWA, remote desktop, a manual reset by me) the OS X machine will not have the changed password. This will necessitate the user knowing 2 passwords for a length of time, as well as some possible screwy permissions with the keychain and sudo.


Solution 1:

If you have Exchange have you considered implementing the ability to change it via OWA? http://technet.microsoft.com/en-us/library/bb684904%28v=exchg.141%29.aspx

Another alternative is to use ManageEngine's AD self service product: http://www.manageengine.com/products/self-service-password/download.html

One thing "sort of" out of scope of the question is that I always have had great experiences with AdmitMAC: http://www.thursby.com/products/admitmac.html for the Mac's our employees use.

Solution 2:

Just an update, we have the problem solved and it wasn't anything to do with the Mac's specifically. We were having some VPN tunnel issues (some acl mismatch problems were discovered), that was blocking certain groups between sites. Once that problem was taken care of, AD password changes over VPN for the Mac's started working. The VPN that users's log in to is at a different site from the AD servers.

Thanks for your input, everyone.