Active Directory offline reset password + FV2

ftiff
Contributor

Hi all,

I thought I would have found the answer by myself… but no! I need your insights.

Let's say I have a AD + FV2 setup. Computer is shut down and user has forgotten his password. He logs to an internal webpage and resets password. Now he starts computer.

I guess the only way to get past pre-boot FV2 is by using a recovery key or admin password ?

3 ACCEPTED SOLUTIONS

shyam_sm
New Contributor II

Hi ,

During startup normally it will accept the OLD AD Password and once your HDD is Decrypted, again it will prompt you to enter your username and password. you can login with your AD Id and new password, Once you logged in you can Turn OFF the FileVault and Turn ON again, so that it sink with your new password.

View solution in original post

rtrouton
Release Candidate Programs Tester

Correct. The FileVault 2 pre-boot login is going to be using the old password for that account and won't be able to pick up the new password until the OS is running (which happens after logging in at the FileVault 2 pre-boot login screen) and able to talk to the Active Directory domain.

If you have another account that can log in at the FileVault 2 pre-boot login, that's likely the easiest approach. Otherwise, using the Mac's alphanumeric personal recovery key (if available) will also work to get you past the pre-boot login.

View solution in original post

rtrouton
Release Candidate Programs Tester

I have a post that includes how the password update procedure is supposed to work in a situation where the old password is known: https://derflounder.wordpress.com/2014/12/18/ten-things-you-might-not-know-about-filevault-2/ (see the Password Changes And FileVault 2 section.)

View solution in original post

7 REPLIES 7

shyam_sm
New Contributor II

Hi ,

During startup normally it will accept the OLD AD Password and once your HDD is Decrypted, again it will prompt you to enter your username and password. you can login with your AD Id and new password, Once you logged in you can Turn OFF the FileVault and Turn ON again, so that it sink with your new password.

rtrouton
Release Candidate Programs Tester

Correct. The FileVault 2 pre-boot login is going to be using the old password for that account and won't be able to pick up the new password until the OS is running (which happens after logging in at the FileVault 2 pre-boot login screen) and able to talk to the Active Directory domain.

If you have another account that can log in at the FileVault 2 pre-boot login, that's likely the easiest approach. Otherwise, using the Mac's alphanumeric personal recovery key (if available) will also work to get you past the pre-boot login.

rtrouton
Release Candidate Programs Tester

I have a post that includes how the password update procedure is supposed to work in a situation where the old password is known: https://derflounder.wordpress.com/2014/12/18/ten-things-you-might-not-know-about-filevault-2/ (see the Password Changes And FileVault 2 section.)

m_entholzner
Contributor III
Contributor III

edit: overlap with other posts.

ftiff
Contributor

Thanks it is much clearer for me !

Is Cauliflower Vest still used in the MacAdmin community ? Would you use this to collect personal recovery keys or is there better alternatives ? Does Casper Suite have this functionality ?

rtrouton
Release Candidate Programs Tester

Casper can handle FileVault 2 management, including collecting and storing personal recovery keys. For more information, I recommend checking out the following links:

http://www.jamfsoftware.com/resources/filevault-2-and-the-casper-suite/

http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/

ftiff
Contributor

Excellent, many thanks Rich !