Posted on 04-09-2021 07:52 AM
Hi All,
This worked for me...Hence I am sharing this to all the admins out there who is looking for a permanent solution of never ending AD Password Sync Issue with FileVault..
First let's spit the scenarios..
Scenario 1 (Mac User who is aware of his/her old AD password) FV2 Enabled
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled
Scenario 1:-
(Mac User who is aware of his/her old AD password) FV2 enabled
Step 1 - Check the Securetoken status of the AD Mobile Account
sysadminctl -secureTokenStatus username_goes_here
If it's disabled follow this article to enable the secure token https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
By any chance if you receive any Operation not permitted error while enabling securetoken. Simply go to system preferences>Security & privacy > Unlock using admin credentials > Select Filevault > You will notice the following Alert "Some users are not able to unlock the disk |Enable Users|" Click Enable Users. It will pass the securetoken to ADmob account successfully.
Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return
USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:
diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return
Passphrase successful.
If you receive any further errors, please post here I will look into it and help you further.
Step 3 - Perform a restart and check whether the new password is updated and you are able to login.
Step 4 - If the above 3 steps didn't fix the issue. Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers. This step is very important
Step 5 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")
Step 6 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and mac location. The password sync will try to re-attempt and it should get updated at the backend.
Step 7 - Then check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.
Step 8 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation that password sync is updated on keychain level.
Step 9 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.
By following the above steps I was able to resolve one of the user FV2 password sync issue which was pending for close to 6-7 months...I wish it will work for you as well..Let me know your attempt status..
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled
I have copied the same step from Step 4 to 9... Please follow the same and let me know if you face any issues..
Step 1 - Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers.
Step 2 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")
Step 3 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and the mac location the password sync will try to re-attempt and it should get updated at the backend.
Step 4 - Check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.
Step 5 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation the password sync is updated.
Step 6 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.
Regards, Kishoth P
Posted on 05-13-2021 11:59 AM
This helped us. Thank you so much.
**Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return
USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:
diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.**
Posted on 05-13-2021 02:49 PM
Honestly, unless you have a very very good reason to bind macs to AD don't. If you are using Azure AD look at JAMF Connect it will solve all these problems as well.
Posted on 06-03-2021 02:28 AM
Thank you so much ! Its worked for me as well.
Now i created self service policy for whom FileVault password is out of Sync.
#/bin/bash
#Get the current user details
currentUser=$(who | awk '/console/{print $1}')
#Get the user UUID number
userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')
#Get the user's Old password
oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
#Get the user's New password
newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
diskutil apfs changePassphrase disk1s1 -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass
sudo jamf recon
Posted on 06-03-2021 09:10 AM
+1 for not binding and relying on a tool like Apple's Enterprise Connect if you're on local AD or Jamf Connect if you're Azure AD. Binding is a big bag of hurt and Apple has recommended not using it for at least as far back as 5 years. Go to your infosec and make them really justify why. Remember, these aren't windows boxes.
Posted on 06-03-2021 11:54 AM
@easyedc "Remember, these aren't windows boxes." As if that ever resonated at orgs that are Windows heavy... "Why can't Macs just work like Windows machines??"
Posted on 10-07-2021 12:01 PM
@Jamftechelp This helped immensely! The only changes I made to it are adding quotes around the password variables because if a user has a space in one of their passwords, it will be interpreted as another piece of the diskutil command and error out.
-oldPassphrase "$oldPass" -newPassphrase "$newPass"
Posted on 03-30-2022 01:07 PM
@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:
Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1
Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)
FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?
Posted on 03-31-2022 07:54 AM
The script has a hardcoded value for the disk identifier. You would want to verify that is the proper identifier for an M1. On my two M1 devices 'disk1s1' is not present, and instead the APFS container that holds "Macintosh HD" and "Data" is 'disk3'. So 'disk3s1' might work for my machines, but I would not hard code that value. You should find a way to programmatically determine which APFS container (and volumes) are encrypted.
Ideally you would begin unbinding your devices from AD and deploy Jamf Connect or NoMAD, especially given the upcoming Microsoft patch in July that will break binding.
03-31-2022 04:52 PM - edited 03-31-2022 05:13 PM
I double checked the disk identifier for "Macintosh HD - Data" on the last 2 MacBook Pros (Intel) I ran a similar script (see below) on, and they were both 'disk1s1'. My own MacBook Pro (Intel) is 'disk1s6'.
I came up with this:
#Get the Disk identifier
diskName=$(diskutil list | awk '/Macintosh HD - Data/{print $NF}')
diskutil apfs changePassphrase $diskName -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass
I ran it without errors but it didn't work. Not to make this convoluted, but I prefer a similar script from:https://community.jamf.com/t5/jamf-pro/filevault-not-syncing-ad-password/m-p/121380/highlight/true#M... which is the one I ran on the Intels. It double checks your new password, and it gives you a confirmation if the password sync is successful. I did post on that thread, but no one responded.
I plugged in my get disk identifier with this script, but I get this error:
Could not find disk for -user
HELPER=0Exit Code: Password could not be changed. Is the old password correct?
Posted on 04-01-2022 08:42 AM
Well, you did half the leg work, actually more than half. Try this for finding the identifier:
diskName=$(diskutil list | grep 'Macintosh HD' | awk {'print $NF'})
The method you had did not provide any output when I ran it on my M1 device.
Posted on 03-31-2022 12:01 PM
So in the past you had to pay for tools like Enterprise Connect or Jamf Connect. Now that Apple's basically taken Enterprise Connect and baked it into the OS with Kerberos SSO, that's a simple win. It can handle password synchronization for you with ease. Follow the instructions doc that Apple has and throw that into your JSS. Works pretty well. We haven't moved to full Azure AD so paying for Jamf Connect isn't necessary for us yet.
Posted on 12-19-2022 08:00 AM
This worked for me. Plus ensure that the localadminname has securetoken access.
sysadminctl -secureTokenOff username -password - -adminUser localadminname -adminPassword -
sysadminctl -secureTokenOn username -password - -adminUser localadminname -adminPassword -
reboot
With these commands, you will be prompted for the username password and the localadminname password to complete the task.
Posted on 12-23-2022 09:47 AM
Hi @kishoth_p
I am getting following error when I ran @Jamftechelp's script. I also tried with the command:
diskutil apfs changePassphrase disk1s1 -user "UUID" -oldPassphrase "old Password" -newPassphrase "newPass" from terminal got same error: Changing passphrase for cryptographic user "UUID which get from step 2 command" on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593). I also ran Step 1 command and confirmed that Secure token is ENABLED for user who I am trying to change password. BTW for your information I implemented NoMad and NoMad Login and our machines are not bind.
So PLease suggest on this how we can workable to synch local Password & Filevault password with AD after change passowrd. Please help me.
Posted on 01-11-2023 07:16 AM
I have seen the same thing on newer Apple Silicon hardware where they use an APFS container instead of just the simple partition formats. It seems that might only work on older formatting types.
Others seem to use fdesetup to remove and then re-add the user and they said that will resync but I haven't tested this yet.
sudo fdesetup remove -user SHORTNAME
sudo fdesetup add -usertoadd SHORTNAME
Posted on 07-11-2023 10:19 AM
omg, I think this just solved an issue we'd been having without bind even in the mix...
Posted on 07-11-2023 11:51 AM
I fix this issue in our environment.
Posted on 07-19-2023 09:42 AM
Super helpful! We just rolled FV2 out in our district and I've seen a couple one-off issues with AD binding / password syncing with Enterprise Connect. These instructions fixed the issue for me. Thanks!
Posted on 05-16-2024 05:05 AM
But the solution indicated here is the definitive solution and when the password is changed again, the problem does not occur again?
or every time the password is changed the problem occurs again and you have to do what is indicated here again.
Posted on 08-09-2023 01:13 AM
I keep getting another option and I'm not sure what to do
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
Computer Name:~ username$ diskutil apfs changePassphrase disk1s1 -user,83F498FD-8F34-4C0B-812B-6CC05FEC180F
Usage: diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd
<apfsVolumeDisk> -user disk|<cryptoUserUUID>
[-oldPassphrase <passphrase> | -oldStdinpassphrase]
[-newPassphrase <passphrase> | -newStdinpassphrase]
where <apfsVolumeDisk> = APFS Volume DiskIdentifier
<cryptoUserUUID> = user whose passphrase to change
<oldPassphrase> = existing password (else interactive prompt)
<newPassphrase> = new password (else interactive prompt)
Change the passphrase of an existing cryptographic user; you can specify
"disk" for the "Disk" user.
Ownership of the affected disks is required.
Example: diskutil apfs changePassphrase disk5s1 -user <UUID>
Posted on 08-09-2023 05:46 AM
You appear to have a comma between -user and the user ID. Try removing that comma.
diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F
Posted on 08-09-2023 07:36 AM
I got the same response after I removed the comma. I'm unsure if something changed with Ventura because I'm on an M2 Mac.
Last login: Wed Aug 9 07:28:35 on ttys000
computer name ~ % diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F
Usage: diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd
<apfsVolumeDisk> -user disk|<cryptoUserUUID>
[-oldPassphrase <passphrase> | -oldStdinpassphrase]
[-newPassphrase <passphrase> | -newStdinpassphrase]
where <apfsVolumeDisk> = APFS Volume DiskIdentifier
<cryptoUserUUID> = user whose passphrase to change
<oldPassphrase> = existing password (else interactive prompt)
<newPassphrase> = new password (else interactive prompt)
Change the passphrase of an existing cryptographic user; you can specify
"disk" for the "Disk" user.
Ownership of the affected disks is required.
Example: diskutil apfs changePassphrase disk5s1 -user <UUID>
computer name ~ %
Posted on 08-10-2023 09:15 AM
I would verify you have the right UUID for a cryptographic user and volume ownership. The following DataJAR articles talks about how:
Posted on 12-07-2023 05:07 AM
We use this script like this and this is how it works Universal (Intel and ARM) in our environment
#/bin/bash
#Get the current user details
currentUser=$(who | awk '/console/{print $1}')
#Get the user UUID number
userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')
#Get DiskInfo
diskNumber=$(diskutil apfs list| grep "APFS Container Reference:" |awk '{print$4}')
#Get the user's Old password
oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
#Get the user's New password
newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
diskutil apfs changePassphrase $diskNumber"s1" -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass
jamf recon