Jamf LAPS PreStage account lockout / password change

Question

We have Jamf LAPS enabled for a PreStage account and a jamf binary account.

For an unknown reason the PreStage account keeps getting locked out and requires a password change.

When I run this command:

usr/bin/pwpolicy -authentication-allowed -u prestageadminuser

I get this return:

User <prestageadminuser> is not be allowed to authenticate until password is changed: Credential verification failed because account is temporarily locked.

Sometimes I get this return

User <prestageadminuser> is not be allowed to authenticate until password is changed: Password change is required by authentication server.

I've gotten this result with and without a config profile for passcode.

From the terminal sometimes I am able use the command "login prestageadminuser" with theLAPS password and it will prompt me to change the password.

Sometimes it does not take the LAPS password at all.

I do not have any problems with the jamf binary account LAPS.

Page 1 / 1

Have you deployed a configuration profile with the Passcode payload configured?

A LAPS account password will look something like TXJLZ4-2L6QN6-EBI3A3-EOHRSVLE.

It could possibly not meet the requirements for Complex Passcode, Minimum Number of Complex Characters, or Change at Next Authentication.

Also, do you have just the one LAPS account deploying to your computers?

I am seeing a similar issue. Did you ever find a resolution?

talkingmoose · Answer

Have you deployed a configuration profile with the Passcode payload configured?

A LAPS account password will look something like TXJLZ4-2L6QN6-EBI3A3-EOHRSVLE.

It could possibly not meet the requirements for Complex Passcode, Minimum Number of Complex Characters, or Change at Next Authentication.

Also, do you have just the one LAPS account deploying to your computers?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded