@dpratl,

Apple built that reset password functionality for local accounts and it doesn't really work with AD mobile accounts. If your user has forgotten their password and you use the recovery key to unlock and allow them to boot, you also have the option of selecting the Cancel button when asked to reset the password.

Once the password reset has been cancelled, try logging in with the new password that's been set on the AD domain's end.

Hi @rtrouton ,

This was not working in the first few tests, but I will try it again and update my post.

Thank you for the clarification that this function is only for local accounts.

BR
Daniel

Hi @dpratl ,

I believe I came across this same issue yesterday and today.

Yesterday I was locked out (I think, because of another issue involving iCloud and Passcode Config Profiles. Before Sierra, I would enter my recovery key and the next window would prompt me to reset my password. Same as what @rtrouton's screen shot shows. With Sierra, after entering the recovery key, the regular login window comes up instead of the password reset prompt in El Capitan and Yosemite and no prompts to reset my password.

I was able to get in this morning by unscoping myself from our password configuration profile. I was then able to log in using my current password. I used the fdesetup changerecovery -personal command to issue a new recovery key and was successful. However, this did not solve the problem. While troubleshooting this issue, I realized that my current password (an old one) does not meet our current password policy requirements (it's new). So I went to System Preferences > Users and Groups to change it. It would not allow me to reset my password because, it says, my "old password" is incorrect. This is usually a sign that the user has been locked out. I rebooted immediately and verified that I was again locked out without any notification. I've found that the only way for me to unlock myself is to unscope from the password configuration profile.

I'm still trying to figure out what could be causing this failure. Not sure if this issue and the iCloud/Passcode Configuration issue are related. My next step is to move my iCloud account and see if things are back to normal.

If you have any more details to share, please do. FYI, I am not bound to AD.

Thanks!

Maybe this is a dumb idea, but rather than have the customer attempt to use macOS to reset their password, why not create a temporary password from AD itself, allow the user to log in (bypassing the need for the recovery key), and then change their password from within system preferences to something more private?

@dpratl ,

I was able to confirm that removing my iCloud account now allows me to use a recovery key again to reset my password. So, I guess this issue is related to https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud after all.

@rtrouton,

Would you happen to have any extension attributes that detect if a user is signed in to iCloud? I found one here https://www.jamf.com/jamf-nation/discussions/19085/disable-icloud-icloud-drive-and-find-my-mac-on-existing-systems by bpavlov but I'm getting mixed results.

Thanks!

Thank you all for your answers.
I marked a solution.

My test where successful:
Our users are using there AD accounts (on more user would be to much for this sentence ;)) also for the encryption.
If the forget the password the cannot decrypt their Mac, so the give a call to our Helpdesk.
What have to be done by the Helpdesk:
- reset the AD password to a temporary one (also the "Reset PW at next login" flag can be set)
- get the recovery key from JSS
- tell the (verified) user both and he has to cancel the first request to change the password like @rtrouton said above and the user has to be connected with the internal network (because of the AD connection)
Task by Helpdesk is finished.
What has to be done by the user:
- decrypt the Mac with the Key provided by the Helpdesk
- cancel the first request to change the password like Helpdesk said
- login with the temporary password
- change the password immediately (if the flag was set)
Task by user is finished and he can work on.

This is working for us :)
JAMF Nation is really a great source

BR
Daniel

PS: If the user try to change the password at the first request from macOS, this will harm the user profile somehow and a login is not possible anymore.
PPS: @duffcalifornia if I only set a new password in AD this will not affect the stored password for FileVault, you have to use the recovery key and then use the reseted password to login