Changing your Duck ID password on an Active Directory bound Mac

Issue

Changing your Duck ID password on the Duck ID Self-Service website can lead to your Mac computer password becoming out of sync with campus services.

This only occurs when the machine is bound to Active Directory (you can tell this by going into System Preferences, Users & Groups, and clicking Login Options on the left. If you see Network Account Server: AD, then you are bound to AD on this Mac.

If not, this article does not apply to you. Please see the Change or Reset Your Duck ID Password in the Related Articles pane.

This issue is amplified when the Mac also has FileVault enabled as that can further lose sync where when you power on the computer, you're asked for one password that may be an old Duck ID password, then asked to log in with a different Duck ID password, then asked for Keychain access, and so on. 

Cause

macOS does not register password changes from outside if it cannot talk to Active Directory at login. Further, it doesn't relay that new password to FileVault or Keychain. Computers in this state are said to be in a "split-brain" situation, and resolving this state often requires IT assistance. 

The goal of this article is the prevention of this "split-brain" state.

Resolution

To resolve, or prevent this issue, you must change your Duck ID password from the computer itself. If off-campus, this requires both a password that has not yet expired and connecting to UO VPN

On-Campus Procedure

  1. Confirm you have a working internet connection and are connected to UONet by opening a web browser and going to the UO Network detection.
  2. On your Mac, go to the Apple Menu, then System Preferences
  3. In System Preferences, open Users & Groups
  4. Click your account on the left if it's not selected, and on the right, click Change password
  5. Enter your current Duck ID password, then a new password keeping in mind the password restrictions: 
    • Must be between 14 and 127 characters in length.
    • Must contain both uppercase and lowercase letters.
    • Must have at least one digit.
    • Must not contain your Duck ID, first name, preferred first name, middle name, last name, preferred last name.
    • Cannot be a previous password.
    • Must be different by at least three characters from the previous password.
    • Password expires every 180 days.
    • Should not contain UO ID (95#).
    • Should not be the same password you use on any other account.
  6. If successful, you should be dropped back out of your user account.
  7. Save any work you have open, and restart your computer (Apple Menu, then select Restart). Your newly changed password should work for FileVault (if enabled), logging into your account, and you should not receive a notice about your machine's Keychain. 

Off-Campus Procedure

Note: If you are unsure about any of the steps below, please contact your local IT unit or the USS-Technology Service Desk via the information here Department & Unit IT Support.
  1. Confirm you have a working internet connection by opening a web browser and going to the UO homepage
  2. Connect to UO VPN (In your applications folder, open the Cisco folder, then open the Cisco AnyConnect VPN program, and connect to VPN).
  3. Confirm you are connected to UONet via VPN by going to the UO Network detection page. If it says you are not connected, please go back to step 2. Do not continue
  4. On your Mac, go to the Apple Menu, then System Preferences
  5. In System Preferences, open Users & Groups
  6. Click your account on the left if it's not selected, and on the right, click Change password
  7. Enter your current Duck ID password, then a new password keeping in mind the password restrictions: 
    • Must be between 14 and 127 characters in length.
    • Must contain both uppercase and lowercase letters.
    • Must have at least one digit.
    • Must not contain your Duck ID, first name, preferred first name, middle name, last name, preferred last name.
    • Cannot be a previous password.
    • Must be different by at least three characters from the previous password.
    • Password expires every 180 days.
    • Should not contain UO ID (95#).
    • Should not be the same password you use on any other account.
  8. If successful, you should be dropped back out of your user account.
  9. Save any work you have open, and restart your computer (Apple Menu, then select Restart). Your newly changed password should work for FileVault (if enabled), logging into your account, and you should not receive a notice about your machine's Keychain. 
Print Article

Related Articles (4)

Change or Reset Your Duck ID Password
Help with resetting your Duck ID password.
Department and Unit IT Support
Contact information for IT support teams, listed by the UO departments they support.
Getting Started with UO VPN
Install Cisco Secure Client by going to the Secure Client website and logging in with your Duck ID and password.
How to Reconnect after Changing Your Duck ID Password
Explains how to update your computer and accounts after changing your Duck ID password.