Local Account Payload Change Password Does not Update FileVault

New Contributor III

We were looking to create a policy that would change our Admin account's password. I created a policy and used the "Local Account" payload with the Action Taken as "Reset Account Password". So far, I only made available in Self Service.
I executed the Self Service policy as a different user. It executed without any issues and the local admin password changed but the FileVault preboot still only accepts the previous password. I assume this is an issue with the KeyChain not updating.

Is there a way to get the local password to sync with FileVault?



Honored Contributor II
Honored Contributor II

Not sure if this is related but it it sounds similar to this thread: https://jamfnation.jamfsoftware.com/discussion.html?id=12741

Contributor III

@bkramps Take a look here: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3074

Bug with Mac OS 10.10. There are a couple workarounds suggested.

Valued Contributor III

Yup, this is a Yosemite bug that affects dscl (and also sysadminctl.) Oddly, it doesn't seem to affect passwd. Aside from a general "No school like the old school" statement, I'm not sure why changing a password with passwd will update the FileVault 2 pre-boot login while the others don't.

Contributor III


I see this same thing happen with passwd when invoking it as root, when it doesn't prompt for your old password. It also happens when you use the GUI via System Preferences when using one user's admin rights to change the password of a different local user. Basically, any method of changing a user's password that does not require knowledge of the user's old password.

And, unlike mobile accounts, a successful login to the login screen does not update the FileVault cached password. To re-sync, you have to log in and go through the steps of changing the password - even if you set it back to what it was already set to.

New Contributor III

Thank you @davidacland and @Josh_S. The old password field in the Local Account payload would be a great feature.

I will try the suggestion of a script with old and new password.

Valued Contributor

"And, unlike mobile accounts, a successful login to the login screen does not update the FileVault cached password."

That seems like the key bug/missing feature here.

If local accounts were treated like mobile accounts in this regard it would be a marked improvement.

I've seen variations of this same issue all the way back to Lion -- this isn't really new with Yosemite.