OSX Leopard, Deep Freeze and Active Directory… oh my

August 12th, 2008 by Michael in Greensboro, NC

With the never ending roadblocks I encounter at work, my task this year was to utilize the new 10.5 Leopard operating system (and then some) for a local private university. I’ve used Deep Freeze for many years and it has proved to be a great asset in keeping lab machines consistent. What the Macs haven’t utilized was a way for users to log-in with their username and password. Being a predominant PC campus, Active Directory (AD) will be the choice of Mac’s Directory Service. With all the bad rap Leopard got with Active Directory not working, I luckily was able to get 10.5.4 to bind fine with AD. Glancing into Directory Utility the light was green, all is good.

I then sent out the command through Remote Desktop to freeze the machines with Deep Freeze. Moving on to other labs I noticed after 10ish days people started reporting that they could no longer log into the computers that I had initially setup. Going into Directory Services it showed a red light with the message “This server is not responding.” Grrrrrr

Unbinding the machines then rebinding the machine solved this problem but doing this every so often across the campus would be crazy.

After searching the net, I found from my PC coworkers that they had to modify the registry on the window machines to set DisablePasswordChange to 1 in order to keep the trust between the bind to AD. Keep in mind this is all because of Deep Freeze protecting the drive from modifications. I looked hard into dsconfigad on the Macs and stumbled across an attribute called -passinterval days. This basically allows you to change the amount of days the computer will trust an account password bound to AD. By default, the amount of days the passinterval was set to change was 14, explaining why my machines were no longer connecting to the Active Directory on campus. So I sent out the command to the labs that I’ve completed so far thus this should fix the issue. One problem down…..

Hopefully this will help anyone else that is stuck in the same situation as me.

Posted in Technology | 10 Comments »

Tags: , , , , ,

10 Responses

  1. Ryan Says:

    Hi Michael,

    I work as an intern at an IT department that is doing the same thing you are with Leopard, Macs, and Deep Freeze with an Active Directory server and we are/were having the exact same problem.

    Your solution looks like it may work. We’ve talked to Apple and they told us to shut off IPv6 and Airport but lo and behold, after about 2 weeks they’ve lost connection to the AD again.

    Thanks a lot! Do you know any easy way to rebind the computers that have been kicked off again, other than doing the unbind and rebind (which sometimes wasnt working for us and because we had to change computer names in the AD settings). E-mail me back if you could, I’d be very grateful!

  2. Justin Says:

    What command did you run?

    dsconfigad -passinterval 0? -1? 1000?

    what value did you put in?

  3. Michael Says:

    I first set the computers with

    dsconfigad -passinterval 999

    but that didn’t seem to work, computers were breaking in 14 days. I am now trying 0 days but I won’t now until next week if that works.

  4. connectionfailure Says:

    I have seen this happening at my work as well, but it is not with any regularity.
    In fact recently I upgraded a Mac from 10.4 to 10.5 and this broke the login. I had to tell LoginWindow to force creation of a new mobile account on the local drive, and then the Mac could login.

  5. Andy Says:

    Thanks a bunch! We use MacShield (same idea as DeepFreeze) and were having the same issue! I believe the -passinterval needs to be set BEFORE the machine is bound otherwise the date will not change. If you open up /Library/Preferences/DirectoryService/ActiveDirectory.plist in Property List Editor you can find the interval and the exact date it will expire. Even though I had changed the passinterval I had to unbind and rebind it for the password change date to change.

  6. Michael Says:

    Now that 14 days have passed, none of the computers have broke off of Active Directory, so setting the passinterval to 0 works!!

  7. Barry Nichols Says:

    Mike,

    Wow, I’ve been looking for something on this for (literally) months.

    Any new news on this? Has it worked effectively ever since?

    If this does, in fact, fix the issue you will have saved me many more hours of headache. Thanks!!

  8. Chris Rule Says:

    Wow! I have looked all over the place for this info! It looks like all this stuff here is true!

    I checked the ActiveDirectory.plist as indicated by Andy and there is a string class property called “Password Change Date”. Upon running the dsconfigad -passinterval 0 this property is removed from the plist. Oh, and this DOES require unbinding and rebinding to AD. Also, I could not get this command to run remotely using ARD.

    We were having similar problems with Parallels running Windows on these same Macs. As a result we switched to VMWare thinking it may have been caused by Parallels.

    This problem first appeared as a Windows problem running on a Mac. They would need to be rebound to the AD from time to time. And it didn’t appear until after we upgraded our Macs to Leopard. Tiger worked like a dream!

    Interestingly enough- we have been running Deep Freeze on Windows for about 8 years now and have not had to do the Windows registry fix mentioned in the original post from Michael, but it looks like we may need to do this when running Windows as a VM on a frozen system.

    Thanks again for this post! I think I love you!

  9. Chris Rule Says:

    Here’s an update- I was able to use ARD to remotely thaw all the computers and then send the unix command “dsconfigad -lu username -lp password -passinterval 0″ (of course without quotes and replace the username and password with a local admin account on those macs).

    I then unbinded and rebinded (I know, not real words…). Then set the Macs to boot frozen and rebooted!

    Should work!

  10. Michael Says:

    Funny apple sheds some light on the situation….

    http://support.apple.com/kb/HT3422

Leave a Comment

5 + = thirteen

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.