FileVault 2 with AD users

The first is that any time the plist file is used, it does not want to add casperadmin. I am assuming that it is because that account is in /private/var, but I am unsure.

You assume correct. FV2 will not enable for accounts with UIDs lower than 501, which I assume your casperadmin account is since the home folder is in /private/var/ Rich has a workaround for this that you can follow here:
http://derflounder.wordpress.com/2012/02/22/hiding-an-filevault-2-enabled-admin-user-with-casper/
But even with this trick the "casperadmin" account will show up at the FileVault 2 pre-boot screen. Is that really what you want? Just asking, because I know in my case I would not want my users to see what my hidden casper admin account was called. But the steps are in his blog if you want to do it.

As for your 2nd problem, we use AD accounts set up as mobile and Casper's FileVault 2 'next or current user' enablement and have never had a problem with this. Let me ask, have you tried setting up an AD account on a Mac w/o FileVault 2 to see if logging in is successful? If not, you may have another issue unrelated to FV2, like a clock synchronization issue or something like that. I would make sure AD binding and account logins work properly before trying to throw FileVault 2 encryption and enablement into the mix.

Just a note that there are some issues with 10.8.2 + FVII + AD. I don't have them, but a colleague does and Apple are working on some of this with 10.8.3 from what I understand. I will try to get more info on it to see if it's part of what you're seeing.

I get an error stating that I cannot log in with the account, as it failed because an error occured.

Does the user have a Home Directory mapped in AD? If so, and if they can't access it - that's when I normally see that error.

@michaeldornisch

Since you mentioned that you were imaging the Mac, I'd double-check to make sure your Recovery HD partition is working properly. I've seen issues with FileVault 2 where something about Recovery HD was wonky and that prevented FileVault 2 from enabling. You may want to try is creating the Recovery HD partition using an installer package, then have Casper install the package at first boot. There's a couple of posts on how to build an installer package that does this:

http://managingosx.wordpress.com/2012/08/15/creating-recovery-partitions/

http://derflounder.wordpress.com/2012/06/26/creating-an-updated-recovery-hd/

@mm2270,

The FileVault 2 UID issue you're referencing only applies if you're enabling the account through System Preferences.

If you're using a command line tool, like fdesetup or Google's csfde tool (http://code.google.com/p/cauliflowervest/wiki/Csfde), you can enable FV 2 for any local or mobile user account on the Mac in question. That includes hidden admin users with home folders in /private/var.

Thanks for the clarification on that Rich. I was under the impression it wouldn't work even at the command line.
That said, then I wonder why the Op had trouble adding in his hidden casperadmin account with the plist file. It sounds like it had no trouble with the visible account from his description..

I think I would still not add hidden (admin) accounts to the FV2 unlock screen though. I don't like that you can't hide them from showing up there. I'm sure we're not the only ones, but we have put in requests to Apple engineering to change FileVault's behavior to only show username & password fields at the boot screen instead of a list of users. I hate that we can't control that. Though I don't expect to see anything change until 10.9, if even that.

Thanks all for your replies on the issue. The hidden admin account unlock was indeed only to be used if it could somehow be hidden from the unlock screen.

The binding has always been successful for us on non FDE macs, and the error only occurred when applying FileVault.

I have gotten it to work properly now, it seemed to be an issue with the account being created as a mobile account for offline use. Instead of just giving it to a user, we created a local account with the same name as the domain account. After the machine was bound, we ran a custom script that merged the local account with the AD account under the same name. This way we were sure that the user was created properly.

Thanks again for everybody's help

@Michael,
I got hold of my colleague and this was his issue:
On 10.8.2, If the Mac is bound to AD, and you want to encrypt the disk, You need to do it from the AD Mobile account itself. If you attempt to FileVault from the Administrator profile, then attempt to grant permissions to ANY AD Mobile account to unlock the disk, the moment you hit the "Enable User" button, the AD account locks out.

Now, Apple was able to replicate this issue in-house. I am told that an upcoming update to the Mac OS will deal with this. It might be that this is part of what you're seeing. Sorry it's not very specific as I am not the one seeing this, but hopefully it adds some data to the issue.

Scott

Scott, I believe I'm having a similar issue. 10.8.2, built-in AD plugin, FileVault 2 enabled with a local account as the primary. Trying to add an AD user, the GUI tells me the password is wrong (it's not). The fdesetup utility gives no error messages, but does not enable the user account (and does manage to lock the account in AD). So, perhaps it's still broken (even though 10.8.2 supposedly addressed a bug with AD users and FileVault 2).

JPDyson,

My understanding from my colleague is that this will be addressed in 10.8.3. I can't verify it's presence because our setup won't flag it, but that's what I was told. I hope that is the case for you guys as I'm on the outside and can't say for sure here. I'd wager an update will be out sooner than later. Please let us know if this indeed addresses the issue.
Your description sounds the same (from my seat).

Scott

I am testing FV2 for the first time and documenting the process for our field techs (has to be simple, so no command line). Just wanted to post back our results in case it's helpful to you guys seeing lock out of AD accounts?

What I have tested is 10.8.2 image, the final step of my image is shut down computer. Created Casper static group and policy that on startup starts encryption for next logged in user. Instruct tech to make sure computer is in static group and then turn on and login as local admin and restart computer to start encryption process (enter local admin password).

Once encryption finishes, logout in OS and login as desired AD user who will be getting computer (at time of delivery). Go to system prefs and click enable user for FV. Enter domain user password and reboot to confirm you can now login to the computer as this user.

In my environment (knock on wood), this is working. I'm not seeing the AD account locking out.

If anyone wants an EA that shows who can unlock the disk.

#!/bin/bash

FileVaultEnabledUsers=`fdesetup list | cut -d, -f1`

echo "<result>"$FileVaultEnabledUsers"</result>"