Changing your Duck ID password on an Active Directory bound Mac

Issue

Changing your Duck ID password on the Duck ID Self-Service website can lead to your Mac computer password becoming out of sync with campus services.

This only occurs when the machine is bound to Active Directory (you can tell this by going into System Preferences, Users & Groups, and clicking Login Options on the left. If you see Network Account Server: AD, then you are bound to AD on this Mac.

If not, this article does not apply to you. Please see the Change or Reset Your Duck ID Password in the Related Articles pane.

This issue is amplified when the Mac also has FileVault enabled as that can further lose sync where when you power on the computer, you're asked for one password that may be an old Duck ID password, then asked to log in with a different Duck ID password, then asked for Keychain access, and so on. 

Cause

macOS does not register password changes from outside if it cannot talk to Active Directory at login. Further, it doesn't relay that new password to FileVault or Keychain. Computers in this state are said to be in a "split-brain" situation, and resolving this state often requires IT assistance. 

The goal of this article is the prevention of this "split-brain" state.

Resolution

To resolve, or prevent this issue, you must change your Duck ID password from the computer itself. If off-campus, this requires both a password that has not yet expired and connecting to UO VPN

On-Campus Procedure

  1. Confirm you have a working internet connection and are connected to UONet by opening a web browser and going to the UO Network detection.
  2. On your Mac, go to the Apple Menu, then System Preferences
  3. In System Preferences, open Users & Groups
  4. Click your account on the left if it's not selected, and on the right, click Change password
  5. Enter your current Duck ID password, then a new password keeping in mind the password restrictions: 
    • Must be between 8 and 127 characters in length.
    • Must contain at least 3 of the following four items: a number, an uppercase letter, a lowercase letter, a special character.
    • Must not contain your: Duck ID, first name, preferred first name, nickname, middle name, last name, preferred last name, UO ID, or the characters < or >.
    • Must not be one of your last three passwords.
  6. If successful, you should be dropped back out of your user account.
  7. Save any work you have open, and restart your computer (Apple Menu, then select Restart). Your newly changed password should work for FileVault (if enabled), logging into your account, and you should not receive a notice about your keychain. 

Off-Campus Procedure

Note: If you are unsure about any of the steps below, please contact your local IT or the central TSD via the information here Department & Unit IT Support.
  1. Confirm you have a working internet connection by opening a web browser and going to the UO homepage
  2. Connect to UOVPN (In your applications folder, open the Cisco folder, then open the Cisco AnyConnect VPN program, and connect to VPN).
  3. Confirm you are connected to UONet via VPN by going to the UO Network detection page. If it says you are not connected, please go back to step 2. Do not continue
  4. On your Mac, go to the Apple Menu, then System Preferences
  5. In System Preferences, open Users & Groups
  6. Click your account on the left if it's not selected, and on the right, click Change password
  7. Enter your current Duck ID password, then a new password keeping in mind the password restrictions: 
    • Must be between 8 and 127 characters in length.
    • Must contain at least 3 of the following four items: a number, an uppercase letter, a lowercase letter, a special character.
    • Must not contain your: Duck ID, first name, preferred first name, nickname, middle name, last name, preferred last name, UO ID, or the characters < or >.
    • Must not be one of your last three passwords.
  8. If successful, you should be dropped back out of your user account.
  9. Save any work you have open, and restart your computer (Apple Menu, then select Restart). Your newly changed password should work for FileVault (if enabled), logging into your account, and you should not receive a notice about your keychain. 

Details

Article ID: 103265
Created
Thu 3/26/20 2:52 PM
Modified
Tue 1/19/21 11:11 AM