Question

Resetting local account password via policy is sporadically failing

Forum|Forum|7 years ago
December 3, 2018
27 replies
321 views

+4

gmce87
Contributor

Hi, we have a local admin account on our workstations and are required to reset the password on this once per quarter. Our local admin account isn't the same as our management account, we keep those separate.

We've been using a Local Account payload to do this for the last year without issue, however I'm suddenly seeing a lot of machines suddenly failing this task in the latest round of resets.

Executing Policy Quarterly Password Reset Error resetting the password for user sledgehammer

If I SSH to the machines which have failed and use passwd to reset the password manually, it works fine. I've also confirmed that the username specified is the local admin account on those machines.

I've tried creating a new policy with a different password and sending that to a few machines which are failing to run this task, but it fails with the same non-descript error.

I've also had a look in /var/log/jamf.log in case there's anything more verbose in there but no joy. Does anyone have any ideas as to what this issue could be, or a workaround for this?

Show first post

1
2

Forum|pagination.label 2 / 2

F

+4

FranckS
Contributor
Forum|Forum|4 years ago
August 14, 2021

You may also test EasyLAPS. I'm the author of this tool which is designed to regularly rotate the local administrator account password of a Mac and store it in a MDM like Jamf Pro or Jamf School.

Like

+10

kevin_v
Valued Contributor
Forum|Forum|4 years ago
October 12, 2021

Going to add this here because I just tracked a similar error down and it seems like it could be related.

If you are enforcing password complexity requirements and you create an account using the JSS with a password that does not meet those requirements, the account ends up in a limbo state. MacOS will insist the password for this account is wrong, and trying to do anything to this account via the JSS (delete, reset password, anything) will fail with a nondescript error. The only remedy I've found is to log in as an admin and manually change the password for the affected account. This even affects accounts that are not filevault enabled, not sure if it's a JAMF bug or a MacOS bug but if it's on the Mac side it's existed at least since Mojave.

Almost a year later and just now learning this. We recently implemented password complexity requirements. Our local account we pushed via policy wouldn't work on hosts that received the account after implementing the password complexity config profile. I had to deploy a new policy to reset the password and that worked so far.

Like

1
2

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded