Jamf Nation Community

Is this happening for any AD user? Or is this an isolated case? Is the Mac able to communicate with AD at the time that you're trying to reset the password? Have you confirmed that the AD binding hasn't become broken on the Mac? If it has, that would explain why it can't reset the AD account password.

piggy back'n off @mm2270 ... I believe you would have to unbind/rebind to the domain.. And try it..

Same thing happens here in our testting environment. try to unbind/rebind to the domain does not make any influence. We can change AD password by Users & Groups in System Preferences

This is exactly what we have to deal with. If a user forgets their password and they are outside of our network we cannot use the FV key to reset their password. As soon as they are on the domain it works like a charm.

If the user is locked out, then we can't get them on the VPN. So the only way we can think of is to send the laptop to our office. A 30 second fix and then mail it back to them. I wish there was another way.

I have to ask why anyone would think this would work? The recovery key is not a 1:1 substitute for a user's password, and although the system might allow you to change the password for a local account without knowing the current password, Active Directory wouldn't. The computer account certainly does not have those permissions.

We are lucky that our users only use macs in their office. I think this may work ? When a user forgot his password, we give the recovery key to him and reset the user's password in AD,the user use the recovery key to unlock and use new password to login, then reset the keychain?

Just in case this helps anyone else, we found a solution for these random mobile users outside of our office who forgot their password on their encrypted Mac. It's pretty clunky, but it works and is better than sending it in for us.

1. Boot into recovery partition
2. Decrypt drive using recovery key
3. Log into management account and connect to VPN
4. Fast user switch into user account with password reset from AD
5. Switch back to management account and log out.
6. Log back into user account, connect to VPN, and manually fix keychain or blow it away

So, I think a large issue is that our secure wifi requires a certificate to be installed to get on privileged VLANs that allow access to network resources like shared drives, etc. Because of that, the machine does not connect to the internet immediately upon startup, and may not recognize the wired connection. FWIW, AppleCare Enterprise Support confirmed this issue and is unsure of why it happens.

Hi all, I'm getting a similar issue but not quite the same.

We are seeing users using the correct password getting locked out from being able to decrypt the FileVault drive. There is a local account which is allowed to decrypt the drive, but even with the recovery key the user resets their password FileVault still does not allow them to unlock the drive.

I've tried numerous ways to get the password to sync up but have not had any luck.

I've followed this post which highlights a similar issue but with no luck so far.

https://www.jamf.com/jamf-nation/discussions/7054/fdesupport