@walts.9 The only way we deploy is through Self Service. I'll try and remember to take a look on Monday and see how I have it set up. @benk234 Have you tried removing some of the user input and populating the info via the script. Obviously not anything in clear text but something along those lines? Been a little bit since I've messed with what I did. Recently switched to a new group so my brain is a little overloaded right now. Please feel free to message me. I'm happy to help in any way I can.

@walts.9 Here’s a version I have in Self Service with user prompts

I'm now feeling very hopeful that macOS 10.14.4 will resolve this issue. 😉

@true[robby] have you tested a 10.14.4 beta or has Apple support indicated it will be fixed with that release?

Testing in 10.14.4 beta and it's looking good!

My findings show that after the 10.14.4 update, a subsequent password change via System Preferences while on domain will sync up all three passwords (local account, keychain and FileVault) and stays synced while off domain. ✅✅✅

I'm even finding that if the user once again changes their password somewhere other than their machine (a web interface like OneLogin), the local password syncs and stays synced when off domain. ✅ Upon next reboot, if the user chooses to Update Keychain it will sync up keychain and FileVault. ✅✅

So we're back to behavior on earlier versions.

@ true[robby] thanks for posting.

What if the user has forgotten their previous password and enters a recovery key at FileVault and for keychain has to create a new one? Is the account password and FV password still out of sync on next reboot?

What happened for me is not exactly the same as per OP.

• MBP 2016(Mac OS Mojave 10.14.3)
• Joined to Windows AD
• Everything seems fine until a password change is done
• After password is changed, user can only login using new password when connected to the Office Network
• When outside office network, user needs to use previous password
• Updating Keychain when prompted does not fix this issue
• Only solution was to unbind and rebind again,

I have just tested the latest Mojave Developer Beta update and confirmed this issue is fixed.
Passwords will now sync across as soon as the mac gets connected to domain network.

@MatG After using the recovery key to unlock the volume we are presented with our normal logon screen. I think this behavior is different. Before, when using the recovery key the user is given a pop-up at the logon screen to change their password. But now, the volume can be unlocked but the user still needs to know the existing password to log in. So we don't get far enough to be able to answer your keychain question.

Can I ask what version number of the Mojave Developer Beta update fixed the issue for you?

I think it was beta 2 or 3. Cant remember. Its now beta 6 so I'd guess release next week.

I just posted an article about the history of the 10.13 & 10.14 syncing issue. I included some fixes that you can use if you still have some accounts that are still out of sync.

https://mrmacintosh.com/macos-mojave-10-14-4-update-fixes-ad-mobile-account-filevault-password-chang...

FWIW. I just had a troublesome 10.14.5 machine that wouldn't sync the FV password to the locally cached or domain password. Nuking the keychain fixed the issue.

I tried a battery of solutions until I finally thought of this so I hope it helps someone.

Thank you @sshort

sudo sysadminctl -adminUser $adminUserHere -adminPassword $adminPasswordHere -resetPasswordFor $userToBeReset -newPassword $newPasswordHere

Using this from a command prompt fixed our issue of an AD user not able to login after password was changed elsewhere. No FieVault in use.

Cheers!

We are seeing this issue on random machines on different versions of Mojave. Its very frustrating. Anyone confirm if this is still an issue in Catalina? We have it blocked for a bit for testing purposes. Or, does anyone have a non-interactive version of the above command that can be scheduled?

@mgorton It is still an issue in Catalina. In fact, I came here looking for an explanation and a possible solution.

We are rolling out FileVault enabled laptops running 10.15.2 and have begun experiencing the same symptoms reported in this thread: User changes AD password, often through a web portal (sometimes over WiFi, sometimes over ethernet), and then they are unable to log in at the preboot screen. The old password is usually able to unlock the volume, but the new AD password otherwise works for authenticating against other AD bound services. it will also work at the system login screen is the user logs out.

I have been able to correct this, as others have, by using the recovery key. Once the recovery key is provided, the user is prompted for their network password and then the passwords are synched.

I haven't yet tried some of the other fixes recommended here, but will do so first chance I get. Thanks to all for sharing your experiences and expertise.

@mheffernan If you change the password off the Mac through a web portal all you are changing int the AD account password, therefore FileVault password will not change. If you change the password on the Mac it will update your AD account password and the FileVault password.

However if you do change the password through a web portal then on boot as you say use the old password, then you probably get prompted again to login into your account, then a Keychain box then what is meant to happen is macOS is meant to sync the account password down to FV, but in Catalina 10.15.1,2 and now 3 this I believe is broken.

Here is my self service script to resolve this filevault issue if the user changes their password in a way other than System Prefs/ Nomad .
This does require you have a local admin account on the computer and that you pass the local admin user name and pass as variables $4 and $5.
I did not have great luck with the update preboot command that @ncottle used (though I haven't tried the script posted here) so I wrote a script doing the same thing with FDE setup awhile back.

#! /bin/bash

#Found commands at
#https://www.jamf.com/jamf-nation/discussions/26608/adding-user-to-filevault-using-fdesetup-and-recovery-key

adminName=$4
adminPass=$5
userName=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )

fdesetup remove -user $userName

if [[ "$userName" == "adminName" ]] || [[ "$userName" == "HardCodedLocalAdminName" ]]; then
    echo "Admin user is logged in."
    exit 1
    dialog="Do Not run this tool when logged in as Admin! Exiting!"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
fi


dscacheutil -q user -a name $userName

sleep 1

echo "prompting user for Account Password"
userPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your Current Account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)

expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect" 


fdeList=`fdesetup list | grep $userName`

if [[ "$fdeList" == *"$userName"* ]] ; then
    echo "$userName Filevault Password Updated successfully"
    dialog="$userName Filevault Password Updated successfully"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
    exit 0
else
    echo "Adding $userName to FV2 Failed"
    dialog="Adding $userName to FV2 Failed"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
    exit 1
fi

I usually use diskutil apfs changepassphrase, though I haven't made a script of it yet. If it works it would alleviate the need to pass an admin password in clear text.