Skip to main content

We're using AD binding and mobileaccounts on the macs in my environment, which I know isn't ideal, I'm working on getting us going on NoMAD Login, but we use machine certs which makes that tough.

I'm currently using NoMAD, mostly just for password changes, but I have users that forget to use NoMAD for it sometimes, and end up in a rough spot. I've got one right now who changed it through our web portal, realized the issue and contacted me, so I tried having him change it in NoMAD, which appeared to work. I had him shutdown and verify that filevault would take the new password, and it didn't, so I tried the lines from @hkabik, and @rcarey over here). Once we ran those lines, I had him shutdown his machine and power it back up, and the FV2 password was now his new password, which logged him all the way in.

However, I had him shut it down and try powering it up at home, and FV2 would only take his old password, and the password the mobileaccount had cached was still his old password.

This is an absolute pain, and I'm just looking to script out something that can update the password in all of these places in the event that a user does it wrong, but from what I'm seeing in different forum posts, it doesn't look like that sort of solution exists in the macOS world, which is really discouraging.

Has anyone had any luck/advice for recovering from the out of sync password issues?

@rtylerdavis What macOS version is the machine on? There is a known issue in 10.14.3 and below where a password change does not fullyl sync to the preboot volume. The behavior is that when on the corporate network where the AD servers are, the preboot password is set to the new password. However a reboot off of the corporate network, i.e. at home, and the preboot password reverts to the old password. This has been fixed in 10.14.4 (at least in our testing on multiple devices it is resolved).

Regardless of the macOS version, changing an AD password via a web site or via AD (in other words not via the System Preferences pane on a Mac) and being on wireless has always been a problem. Most of the time the password will not sync down to the machine.

With NoMAD it shouldn't matter where the password is changed (via NoMAD, via Sys Prefs, via Web Portal) as NoMAD should pick up that change and prompt the user. That happens every 15 minutes, roughly, where NoMAD checks the "Last Password Change" value in AD and if that is different than what NoMAD thinks, it will prompt the user.

I think what you are describing is the 10.14 issue I described at the top.

Terms & ConditionsCookie settingsAccessibility statement