Being the proactive kind of administrator, I created a great VB script that goes through my OUs and marks computer that haven't updated their password as disabled, and modifies the description of of the computer to show why it was disabled (Disabled after 90 days of inactivity.) The goal was to cleanup stale computer accounts, and it worked spledlidly.
Fast forward about a year, it's time to run the script again. This time around we've joined about 25 OS X 10.4 clients to Active Directory. The script disabled every, single, 10.4 computer object. Picture me pulling my hair out. Somewhere in the back of my mind I remember something:
Tiger (10.4) doesn't update it's computer password in AD, but Apple fixed this in Leopard (10.5).
Yeah I knew it, but slipped my mind completely. Argh. Eenable the accounts in ADUC and removed the scripts comments and all is fine.
Possible work around using Samba's net use command to update the password periodically. Need to try it on a test computer one of these days. Or just upgrade all the clients to Leopard, but that costs money.