After our helpful discussion from earlier today, I have attempted to create a policy that will spin a new Management Account Password once a day. I went to Management > Policies > Create policy manually > General - named it, Category=No Category, Triggered By=The Every 15 Trigger, Execution Frequency=Once every day. Accounts - Change Management Account Password, Randomly Generated Passwords, Number of characters-12. Then I pushed that out to one test machine and got the error in the subject line above. Did I leave something out?
Solved
Error: The Managed Account Password could not be reset
+3Best answer by mm2270
Are you still running into this problem?
I just ran a quick test on my JSS, using the same settings as you have above, scoped to one Mac and forced it to run using the every15 trigger and it was successful. If its not working for you, have you attempted to run it against other Macs? I suspect something may be up with your management account.
The other thing is, give us a run down on your JSS, i.e, OS its running on, version of the JSS, etc. And are you using certificate based communication?
EDIT: Something else just occurred to me. When you say you "pushed that out" do you mean you tried this through Casper Remote, or were you doing a 'sudo jamf policy -trigger every15' on the Mac itself? If you haven't tried it on the Mac with the above, give that a shot to see if it works.
+10@benducklow,
I tested it and yes the password was changed. Since I went from a random password to a known password, I could test it.
+14I've been banging my head against this one, off and on, for months. I have found some solutions, but nothing that works in every instance.
Here's what I have found/done so far, roughly in order from least to most intrusive:
NOTE: Each of these, or a combination thereof, has resolved the issue on at least one machine.
Verify the local account password for <admin account>. I do this via SSH.
As has been mentioned, the password has usually been changed, even with the error returned.If the password has not been changed, manually change the password for <admin account>.
Verify the password for <admin account> in Casper. On at least one machine, the password in Casper was still the old one. Changing it to the new one (after verifying the local PW) resolved the issue.
Re-enroll the machine
Hey, worth a shot, right? Worked on a couple of machines.Delete <admin account>/Library/Keychains/login.keychain
Worked on a few machines. On another machine the Keychains folder didn't exist.Delete and recreate <admin account>.
Delete and recreate <admin account>, making sure to delete the previous <admin account> User folder before recreating the account.
Remove machine from Casper. Delete and recreate <admin account>, making sure to delete the <admin account> User folder as well. Re-enroll. Cross fingers.
Obviously, I'm going to keep poking it with a stick. Hopefully this information will help others, and possibly enable someone to come up with a comprehensive solution.
+2@pmullins Bumping an old thread but we found a solution for this. You can delete the management account and then re-enroll but there is a better way:
Set a new password for the management account on the computer. Use sudo jamf recon with special flags to report the account password and name to the JSS. Now the accounts are linked and you can change the password with a policy.
Described more in detail here: https://www.jamf.com/jamf-nation/discussions/29518/managed-account-password-could-not-be-changed#responseChild174537
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.