resetpassword Authentication Server could not be contacted

Catalina 10.15.7 bound to AD.
Local admin the second account which is a user with admin privileges - isn't able to log in after attempting to reset the password.

Did a force unbind the system
Booted to recovery (tested with WiFi on and off)
From Terminal - resetpassword. Using the password recovery tool I'm unable to set that second account password because it says 'authentication server could not be contacted'

A bit confused as to why it even attempts that if the bind to AD isn't there anymore. Removing & re-adding the account is a nuclear option I can't use just yet.

I see posts with this error using dsconfigad and attempting to bind but I haven't found a solution for when in recovery mode

Page 1 / 1

Is the second account a directory service user? Cached account directory service accounts are marked as having remotely administered passwords, even if the binding is gone. As a result, local password tools, including resetpassword, won't touch them for fear of creating an inconsistency with the directory service.

@joshuasee That's what I was afraid of - Is the cached directory info something you can purge?

We're in the same boat at the moment.
@k3vmo did you manage to get it resolved, or did you proceed with nuking the account?

In the network applet in sys Prefs highlight you WiFi card connection and click the Advanced button, then go to the 802.1x tab and see if anything is listed. If there is Delete it. If not the back on the network page click the Location and set a New location.

It's possible it could have been as simple as his note above - however, _
I had to issue a decrypt File Vault from Jamf - I then ran Rich Trouton's script - https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_to_local_account

AFTER BACKING UP

I still couldn't change the password under the recovery partition so as the last attempt - I logged into the local admin account.
I copied the UID of the user account - I then deleted their account and selected to KEEP HOME FOLDER AS-IS

I then created a new account - and right-clicked on it to Advanced Options. I set the UID to the same as the account I removed - then pointed it to the existing home directory -- the key here is that when you create the new account - the username of the account has to be identical to the home directory name.

Rebooted and logged in with the new user (which matched the old home directory name) and new password I set and was able to get to the files.

Granted - I didn't document what security updates this had so your mileage may vary. This by no means was an official fix. I think I got lucky.

Hi @k3vmo I am having the same problem and when I go to delete the user account there is no option to save the home folder, any advice on this one?

Thanks,

Matthew

@user-KKwmGBmzZi What OS? Are you removing it via Users & Groups in System preferences? Options like dscl from the command line won't keep it by default unless you add other options in the command.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded