AD user account and password expiration with Catalina 10.15.2 and Filevault

carlo_anselmi
Contributor III

Hello, forgive me this is not quite related to JSS but I have thought asking the knowledgeble people here!
We have a password expiration policy in AD and when I try to login with a domain user with Filevault already enabled – if the expiration date is too close – I can unlock the disk but, instead of the ordinary automated login, I get the standard login window with the pop-up telling the password is going to expire in X days.
From there I can simply log in as usual since the password has not expired.
I tested with another AD user account - whose password was very recently changed and going to expire later - and everything goes as expected.
This means there's no automated login with Filevault unless the password expiration is more than X days (I could not exactly understand how many)
Is anyone else experiencing this? Is it a known bug?
Many thanks
Carlo

3 REPLIES 3

DBrowning
Valued Contributor II

try adding this:

defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0

davidacland
Honored Contributor II
Honored Contributor II

It sounds like expected behaviour as the FV screen has no way to warn users that their passwords are due to expire. If you remove the warning, you'll want to replace it with something like NoMAD or Jamf Connect so the user is still notified that their password will be expiring soon.

carlo_anselmi
Contributor III

@dave-moof-it up to Mojave, when you have this kind of setup (FV encryption + network user) even if the password is going to expire soon, you have the automated login. If I am not mistaken you don't receive a warning during this process or if you do, the login proceeds automatically anyway
During my tests with Catalina, if the password is going to expire in less than X days (still to be determined), it simply goes from unlocking the disk, boot and then standard login window with no warning at all
From there you can simply re-type you AD credential and successfully login
@ddcdennisb many thanks, that solves the problem!
Many thanks to all
Ciao
Carlo