Skip to main content
Question

Can't Use Recovery Key To Reset AD Account Password on FV2 Encrypted Mac

  • September 7, 2016
  • 10 replies
  • 56 views
D
Forum|alt.badge.img+8

Hey all, wondering if I'm the only one to have this issue, and if I'm not, if anybody has found a way around this.

SCENE: A laptop, encrypted by policy using Casper Suite. The machine has two users able to unlock the disk: a local admin, and a mobile account created via AD login.

The password has been forgotten. You can use the recovery key on either user to allow a password reset. You can successfully reset the password for the local account, but every time you try to reset the password for the AD account, OS X just shakes it's head at you and says "Nope". Doesn't matter if it's connected to general wifi, secure wifi, or hardwired to the company network.

Obviously, this can be resolved for users where we've been able to authorize the local admin to unlock the disk, but we aren't able to guarantee this for all users. Anybody have a way to use the recovery key to reset an AD password?

    10 replies

    D
    Forum|alt.badge.img+1
    • DTIC_Macintosh
    • New Contributor
    • September 7, 2016

    Have you disabled and re-enabled user using terminal?

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • September 7, 2016

    Is this happening for any AD user? Or is this an isolated case? Is the Mac able to communicate with AD at the time that you're trying to reset the password? Have you confirmed that the AD binding hasn't become broken on the Mac? If it has, that would explain why it can't reset the AD account password.

    J
    Forum|alt.badge.img+11
    • JustDeWon
    • Contributor
    • September 7, 2016

    piggy back'n off @mm2270 ... I believe you would have to unbind/rebind to the domain.. And try it..

    S
    Forum|alt.badge.img+2
    • shibao_si
    • New Contributor
    • September 8, 2016

    Same thing happens here in our testting environment. try to unbind/rebind to the domain does not make any influence. We can change AD password by Users & Groups in System Preferences

    D
    Forum|alt.badge.img+8
    • danshaw
    • Valued Contributor
    • September 8, 2016

    This is exactly what we have to deal with. If a user forgets their password and they are outside of our network we cannot use the FV key to reset their password. As soon as they are on the domain it works like a charm.

    If the user is locked out, then we can't get them on the VPN. So the only way we can think of is to send the laptop to our office. A 30 second fix and then mail it back to them. I wish there was another way.

      A
      Forum|alt.badge.img+18
      • alexjdale
      • Contributor
      • September 8, 2016

      I have to ask why anyone would think this would work? The recovery key is not a 1:1 substitute for a user's password, and although the system might allow you to change the password for a local account without knowing the current password, Active Directory wouldn't. The computer account certainly does not have those permissions.

      S
      Forum|alt.badge.img+2
      • shibao_si
      • New Contributor
      • September 9, 2016

      We are lucky that our users only use macs in their office. I think this may work ? When a user forgot his password, we give the recovery key to him and reset the user's password in AD,the user use the recovery key to unlock and use new password to login, then reset the keychain?

      D
      Forum|alt.badge.img+8
      • danshaw
      • Valued Contributor
      • September 9, 2016

      Just in case this helps anyone else, we found a solution for these random mobile users outside of our office who forgot their password on their encrypted Mac. It's pretty clunky, but it works and is better than sending it in for us.

      1. Boot into recovery partition
      2. Decrypt drive using recovery key
      3. Log into management account and connect to VPN
      4. Fast user switch into user account with password reset from AD
      5. Switch back to management account and log out.
      6. Log back into user account, connect to VPN, and manually fix keychain or blow it away
      D
      Forum|alt.badge.img+8
      • duffcalifornia
      • Author
      • Contributor
      • September 9, 2016

      So, I think a large issue is that our secure wifi requires a certificate to be installed to get on privileged VLANs that allow access to network resources like shared drives, etc. Because of that, the machine does not connect to the internet immediately upon startup, and may not recognize the wired connection. FWIW, AppleCare Enterprise Support confirmed this issue and is unsure of why it happens.

      CypherCookie
      Forum|alt.badge.img+7
      • CypherCookie
      • Contributor
      • April 7, 2017

      Hi all, I'm getting a similar issue but not quite the same.

      We are seeing users using the correct password getting locked out from being able to decrypt the FileVault drive. There is a local account which is allowed to decrypt the drive, but even with the recovery key the user resets their password FileVault still does not allow them to unlock the drive.

      I've tried numerous ways to get the password to sync up but have not had any luck.

      I've followed this post which highlights a similar issue but with no luck so far.

      https://www.jamf.com/jamf-nation/discussions/7054/fdesupport

      Terms & ConditionsCookie settingsAccessibility statement