I've had 3 cases of mobile account users on High Sierra (10.13.3) changing their Active Directory password then finding the password doesn't get updated for FileVault. I've had no such trouble on Sierra. The updated password works in macOS once FileVault is unlocked by another user. The only workaround we've found in to remove the user from FileVault and add them back again.
Has anyone else seen this, know if it's fixed in 10.13.4, or have any other workarounds?
I just posted an article about the history of the 10.13 & 10.14 syncing issue. I included some fixes that you can use if you still have some accounts that are still out of sync.
FWIW. I just had a troublesome 10.14.5 machine that wouldn't sync the FV password to the locally cached or domain password. Nuking the keychain fixed the issue.
I tried a battery of solutions until I finally thought of this so I hope it helps someone.
Thank you @sshort
sudo sysadminctl -adminUser $adminUserHere -adminPassword $adminPasswordHere -resetPasswordFor $userToBeReset -newPassword $newPasswordHereUsing this from a command prompt fixed our issue of an AD user not able to login after password was changed elsewhere. No FieVault in use.
Cheers!
We are seeing this issue on random machines on different versions of Mojave. Its very frustrating. Anyone confirm if this is still an issue in Catalina? We have it blocked for a bit for testing purposes. Or, does anyone have a non-interactive version of the above command that can be scheduled?
@mgorton It is still an issue in Catalina. In fact, I came here looking for an explanation and a possible solution.
We are rolling out FileVault enabled laptops running 10.15.2 and have begun experiencing the same symptoms reported in this thread: User changes AD password, often through a web portal (sometimes over WiFi, sometimes over ethernet), and then they are unable to log in at the preboot screen. The old password is usually able to unlock the volume, but the new AD password otherwise works for authenticating against other AD bound services. it will also work at the system login screen is the user logs out.
I have been able to correct this, as others have, by using the recovery key. Once the recovery key is provided, the user is prompted for their network password and then the passwords are synched.
I haven't yet tried some of the other fixes recommended here, but will do so first chance I get. Thanks to all for sharing your experiences and expertise.
@mheffernan If you change the password off the Mac through a web portal all you are changing int the AD account password, therefore FileVault password will not change. If you change the password on the Mac it will update your AD account password and the FileVault password.
However if you do change the password through a web portal then on boot as you say use the old password, then you probably get prompted again to login into your account, then a Keychain box then what is meant to happen is macOS is meant to sync the account password down to FV, but in Catalina 10.15.1,2 and now 3 this I believe is broken.
Here is my self service script to resolve this filevault issue if the user changes their password in a way other than System Prefs/ Nomad .
This does require you have a local admin account on the computer and that you pass the local admin user name and pass as variables $4 and $5.
I did not have great luck with the update preboot command that @ncottle used (though I haven't tried the script posted here) so I wrote a script doing the same thing with FDE setup awhile back.
#! /bin/bash
#Found commands at
#https://www.jamf.com/jamf-nation/discussions/26608/adding-user-to-filevault-using-fdesetup-and-recovery-key
adminName=$4
adminPass=$5
userName=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
fdesetup remove -user $userName
if [[ "$userName" == "adminName" ]] || [[ "$userName" == "HardCodedLocalAdminName" ]]; then
echo "Admin user is logged in."
exit 1
dialog="Do Not run this tool when logged in as Admin! Exiting!"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
fi
dscacheutil -q user -a name $userName
sleep 1
echo "prompting user for Account Password"
userPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your Current Account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)
expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect"
fdeList=`fdesetup list | grep $userName`
if [[ "$fdeList" == *"$userName"* ]] ; then
echo "$userName Filevault Password Updated successfully"
dialog="$userName Filevault Password Updated successfully"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 0
else
echo "Adding $userName to FV2 Failed"
dialog="Adding $userName to FV2 Failed"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 1
fiI usually use diskutil apfs changepassphrase, though I haven't made a script of it yet. If it works it would alleviate the need to pass an admin password in clear text.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.