Once I found some clients could not log in using their ID and password that were using AD it wasn't necessary to unbind and re-bind. Have them use their regular ID and password but have them use an ethernet cable that is connected to the domain to log in. Disconnect the ethernet cable after and they're good to go. I understand that this is an okay work around if you have clients that are onsite and your team can run around with cables and adapters to resolve.
I did try making the user an admin in sys pref but that did not work. Maybe something to do with how the profile was originally set up as a mobile/managed account?

Unfortunately in two instances so far I have found the computer name to be changed so that will need to be edited and re-binded but I will need to test this more. I hope not otherwise EPO will be a nightmare.

I can confirm this behavior, did anyone test with 10.13.1 to see if it is fixed?

I have installed the 10.13.1 Beta on a test machine. I can confirm that it did fix the issue with not changing the password in AD, but that is the only thing that it changed apparently. FileVault password and Keychain password did not change. I tried on multiple occasions changing the password on a test AD account and saw the same results each time. I have to turn off FileVault and turn back on in order for the new password to be set. I also have to create a new KeyChain in order to prevent annoying pop-ups asking for old password.

AD bound computers having issues with users not being able to log back in if they do the upgrade off site?

We've had one so far. User returned to campus with laptop, plugged in, and within 30 seconds, account authenticated.
Not everyone will be this close....

Odd, when running the High Sierra Beta versions, no issues whatsoever.
Just upgraded off-site and could not log into AD account. But logged into local admin account, connected to VPN, fast user switched and all was fine. Really odd. but its seemingly clear Apple really has no interest in AD (not that I ever cared), but it will definitely trip up a lot of unsuspecting users.

On 10.13.1 GM we are still seeing issues with FV passwords for mobile AD accounts not getting updated.

Users changes their password, on next reboot the FV password is the old password but the user account is the new password.

Is this still a known issue with 10.13.1?

@MatG - we are still seeing this behavior on 10.13.1 clients, yes

yes still an issue with 10.13.1

Found on Slack:

We were see more issue in 10.13.1 with AD accounts and FV password sync issues. Apple have informed me:

“it appears there is an issue in 10.13.0 and10.13.1 where as long as the password is only updated from the Users & Groups pane, the FileVault password will get updated after rebooting and unlocking the volume with the old FileVault password ... but if the AD password is ever changed away from the client from the AD server, from a website, etc), the passwords do not get synced again, even after changing it again from the Users & Groups pane. This behavior has been reported to Apple and is being targeted for a future update."

Also.. NoMAD has a pref (hicFix) that resolves this on 10.13

Version 10.13.2 just came out and promises to fix some AD problems.

I'm running 10.3.2. I cannot enable fileVault as a domain account. I receive an error. Account "username" cannot be used to manage encryption on this Mac. Click lock to prevent further changes, then select another administrator account, and try again.

I have a test Mac here that I was running 10.13.1 on and I experienced the problem of the FileVault Password not syncing up with Active Directory after a password change no matter how long I let it sit. I just updated it to 10.13.2. After the update, I let it sit for a few minutes at the desktop then I restarted it. It now takes the password I changed it to a couple weeks ago.

It sucks that these really stoopid bugs are surfacing in High Sierra, but I am glad Apple is making progress on fixing them.

Has anyone confirmed that all these Password issues are resolved now in 10.13.3? I've still got a block on Upgrades to High Sierra due to this in my organisation. Cheers

With 10.13.3, AD, FileVault2, and changing AD password elsewhere, I experienced the same pain points as always. FV2 password updates only after the first login to macOS with the updated AD password, and the old login Keychain password needs entered to "Update Keychain Password". Thankfully, the keychain prompt no longer offers to continue - you are prompted to update, or create a new keychain; that's a big improvement, at least since Sierra.

So we just noticed an issue where changing AD passwords through our "password change portal" changes the password as planned, but does not update FileVault. I have restarted numerous times and it seems to be affecting all systems a user has. I've had some users test with only changing through System Preferences and that seems to work just fine. With one exception...that being if you've changed your password through the Portal first.

Seems like for at least us the problems from 10.13.0 and 13.1 are back again.

I have a ticket open with Apple and right now they seem confused. Seems their engineering departments and QA departments aren't quite what they used to be. High Sierra may very well be the Vista of macOS

They are confused because they don't manage your Portal or your AD environment. There is no structure in place to change the FV password if the user changes the password somewhere else. This has always been the case.

The issue that you are seeing is that when the user restarts and the OLD password is passed through to the login window it is accepted because your Mac has not had time to make the connection to AD, and is using cached credentials. The fix that I use is:
1. Tell my users to NOT change the password via a portal, only use the System Preferences, login window or NoMAD
2. if you do need to change it via the portal for whatever reason, (i.e. you are off network when it expires) then the next time you are on network log out - don't restart - and log back in with the new password. This should display the password sync dialog box and sync your keychain and FV with your new password.

@jason.bracy Unfortunately, that's not an option for some of us-- password changes flow down from an Identity Management system to AD and other systems, so we don't allow users to change passwords from the workstation. In Sierra, password changes from our IM portal did semi-reliably sync to the client (and update FileVault) so the loss of this functionality is definitely annoying. This is something they can test for without replicating our environments IMO.

Agreed that Apple QA is squarely in the dump at the present time.

@analog_kid , that makes sense. I was seeing the issue in 10.13.0-10.13.1, but it went away in 10.13.2. Seems to be back in 10.13.3.

I've filed a bug report with Apple. The only way I've been able to resolve the issue is to add a new FV user, remove the out of sync user, add him back in and then remove the temp user I had to do this via CLI as the System Preferences kept failing - probably due to the mismatch password: So first I created a new user called "tempfv"

#!/bin/sh

$ sudo fdesetup add -usertoadd tempfv

Enter the user name:user1

Enter the password for user 'user1': enter the password used to unlock drive

Enter the password for the added user 'tempfv':

$ sudo fdesetup remove -user user1

$ sudo fdesetup add -usertoadd user1

Enter the user name: tempfv

Enter the password for user 'tempfv':

Enter the password for the added user 'user1':

$ sudo fdesetup remove -user tempfv

It's a PITA if you would need to do this regularly, but I am only dealing with users who forget to change their password before it expires and decide to do it either via the helpdesk or the password portal. So only every now and then.

Hopefully Apple will fix it in macOS 10.13.4!

Thanks,

Jason

I had that experience, so, what I do and it helped me out is going to System Preferences > Users & Groups > Login Options > Click on the Edit button, then I'll delete the AD domain, once I do this, with casper remote I can bind again the Mac, and this helps to sync passwords, hope this help you

Has anyone been able to figure out a clean way of getting the AD password and the FileVault Preboot screen password to sync? We're in 10.13.3 and it's still a problem for us. We've seen more than a million and one ways to try and fix this, but nothing seems promising. Any ideas?

Always change the password on the Mac in Sys Prefs> Users & Groups

Changing it external will cause Account and FV passwords not to sync.

Other option is Nomad

Changing the password in Sys Prefs > Users & Groups isn't working. At least not for us. The AD password changes successfully but not the FileVault Preboot login password. Preboot still wants the expired password. What else you guys got?

I am experiencing the same issue as monaronyc... Users can change the AD pw via Users and Groups, however, it does not sync to the
Preboot screen. Same issue has been reported on this post as well..

https://discussions.apple.com/thread/8279272

This is preventing us from moving to High Sierra enterprise wide. Hopefully a fix comes soon!