After our helpful discussion from earlier today, I have attempted to create a policy that will spin a new Management Account Password once a day. I went to Management > Policies > Create policy manually > General - named it, Category=No Category, Triggered By=The Every 15 Trigger, Execution Frequency=Once every day. Accounts - Change Management Account Password, Randomly Generated Passwords, Number of characters-12. Then I pushed that out to one test machine and got the error in the subject line above. Did I leave something out?
Page 2 / 2
@benducklow,
I tested it and yes the password was changed. Since I went from a random password to a known password, I could test it.
I've been banging my head against this one, off and on, for months. I have found some solutions, but nothing that works in every instance.
Here's what I have found/done so far, roughly in order from least to most intrusive:
NOTE: Each of these, or a combination thereof, has resolved the issue on at least one machine.
Verify the local account password for <admin account>. I do this via SSH.
As has been mentioned, the password has usually been changed, even with the error returned.If the password has not been changed, manually change the password for <admin account>.
Verify the password for <admin account> in Casper.
On at least one machine, the password in Casper was still the old one. Changing it to the new one (after verifying the local PW) resolved the issue.Re-enroll the machine
Hey, worth a shot, right? Worked on a couple of machines.Delete <admin account>/Library/Keychains/login.keychain
Worked on a few machines. On another machine the Keychains folder didn't exist.Delete and recreate <admin account>.
Delete and recreate <admin account>, making sure to delete the previous <admin account> User folder before recreating the account.
Remove machine from Casper. Delete and recreate <admin account>, making sure to delete the <admin account> User folder as well. Re-enroll. Cross fingers.
Obviously, I'm going to keep poking it with a stick. Hopefully this information will help others, and possibly enable someone to come up with a comprehensive solution.
@pmullins Bumping an old thread but we found a solution for this. You can delete the management account and then re-enroll but there is a better way:
Set a new password for the management account on the computer. Use sudo jamf recon with special flags to report the account password and name to the JSS. Now the accounts are linked and you can change the password with a policy.
Described more in detail here: https://www.jamf.com/jamf-nation/discussions/29518/managed-account-password-could-not-be-changed#responseChild174537
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.