Posted on 04-22-2015 03:22 AM
Hi all,
I thought I would have found the answer by myself… but no! I need your insights.
Let's say I have a AD + FV2 setup. Computer is shut down and user has forgotten his password. He logs to an internal webpage and resets password. Now he starts computer.
I guess the only way to get past pre-boot FV2 is by using a recovery key or admin password ?
Solved! Go to Solution.
Posted on 04-22-2015 04:29 AM
Hi ,
During startup normally it will accept the OLD AD Password and once your HDD is Decrypted, again it will prompt you to enter your username and password. you can login with your AD Id and new password, Once you logged in you can Turn OFF the FileVault and Turn ON again, so that it sink with your new password.
Posted on 04-22-2015 04:31 AM
Correct. The FileVault 2 pre-boot login is going to be using the old password for that account and won't be able to pick up the new password until the OS is running (which happens after logging in at the FileVault 2 pre-boot login screen) and able to talk to the Active Directory domain.
If you have another account that can log in at the FileVault 2 pre-boot login, that's likely the easiest approach. Otherwise, using the Mac's alphanumeric personal recovery key (if available) will also work to get you past the pre-boot login.
Posted on 04-22-2015 04:35 AM
I have a post that includes how the password update procedure is supposed to work in a situation where the old password is known: https://derflounder.wordpress.com/2014/12/18/ten-things-you-might-not-know-about-filevault-2/ (see the Password Changes And FileVault 2 section.)
Posted on 04-22-2015 04:29 AM
Hi ,
During startup normally it will accept the OLD AD Password and once your HDD is Decrypted, again it will prompt you to enter your username and password. you can login with your AD Id and new password, Once you logged in you can Turn OFF the FileVault and Turn ON again, so that it sink with your new password.
Posted on 04-22-2015 04:31 AM
Correct. The FileVault 2 pre-boot login is going to be using the old password for that account and won't be able to pick up the new password until the OS is running (which happens after logging in at the FileVault 2 pre-boot login screen) and able to talk to the Active Directory domain.
If you have another account that can log in at the FileVault 2 pre-boot login, that's likely the easiest approach. Otherwise, using the Mac's alphanumeric personal recovery key (if available) will also work to get you past the pre-boot login.
Posted on 04-22-2015 04:35 AM
I have a post that includes how the password update procedure is supposed to work in a situation where the old password is known: https://derflounder.wordpress.com/2014/12/18/ten-things-you-might-not-know-about-filevault-2/ (see the Password Changes And FileVault 2 section.)
Posted on 04-22-2015 04:47 AM
edit: overlap with other posts.
Posted on 04-24-2015 04:02 AM
Thanks it is much clearer for me !
Is Cauliflower Vest still used in the MacAdmin community ? Would you use this to collect personal recovery keys or is there better alternatives ? Does Casper Suite have this functionality ?
Posted on 04-24-2015 04:31 AM
Casper can handle FileVault 2 management, including collecting and storing personal recovery keys. For more information, I recommend checking out the following links:
http://www.jamfsoftware.com/resources/filevault-2-and-the-casper-suite/
http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/
Posted on 04-24-2015 07:09 AM
Excellent, many thanks Rich !