Posted on 06-08-2016 12:20 PM
Hello,
I created a policy to reset the Administrator password for all Macs (right now it's limited to just my test Mac). It works, however when I try to log on to any account on the system (not just the administrator) for the first time after the change I get a message that the system was unable to unlock your login keychain with 3 choices
Continue log in
Create new keychain
Update keychain password
Any idea what's happening here?
Solved! Go to Solution.
Posted on 06-09-2016 10:20 AM
I've figured out how to fix the problem. In the Scope setting, I added a limitation for user account and added administrator.
Posted on 06-08-2016 12:31 PM
Totally normal behavior. The login.keychain uses the password for the account as its master password (meaning to unlock the entire login keychain), but if you use a policy to change the password for that account its doing it from the command line and there's no way for the login.keychain to get updated at the same time in this fashion. So when you later log in with password "12345" the Mac sees that the password for your login.keychain was previously "abcde" and can't unlock it, since they no longer match.
That dialog, incidentally, will go down in the annals of computing as one of the most confusingly worded dialogs Apple has ever created. You need to click the "Update keychain password" button, but on the next screen you need to enter the old password, not your current/new one. So many people get confused by this and enter their current password and it just shakes at them with no indication of what they are doing wrong.
As an aside, obligatory mention to look into tools like ADPassMon and such to help make the process of updating that password a little easier to do the next time around.
EDIT: Ok, in re-reading your post, I see you mentioned that you get this on any login after the change, not just the administrator one you changed. Are you certain about that? Because if so, something is wrong, since a policy resetting the password on one account should never affect other accounts. I would go back and take a closer look at the policy doing the resetting to make sure there isn't something set up wrong.
Also, what version of the JSS are you using for this? I'm hoping its not some unknown before defect.
Posted on 06-08-2016 12:35 PM
OK, I can understand that for logging on to the Administrator account the first time after but why is this also happening on other domain accounts too?
Also, I did choose that option and also had to use the previous password and I agree with you that this is very confusing dialog.
Posted on 06-08-2016 12:38 PM
Yeah, sorry I missed that you are seeing this on other account logins (updated my post above), which isn't making any sense to me. That really should not be happening. Can you elaborate on how you set up the password reset policy, and what JSS version you're using for this?
Posted on 06-08-2016 12:43 PM
JSS 9.82
Trigger: startup, login, logout, network state change, enrollment complete, recurring check-in
Execution freq: once per computer
Target drive: /
Local Account: administrator. Action: reset password. Username: administrator
Posted on 06-08-2016 01:39 PM
I don't have an answer for why that setup would be affecting any other accounts other than the administrator one you're targeting in the policy. You may want to open a case with JAMF to see if they have any clues.
Posted on 06-08-2016 04:17 PM
An easy solution is to have a script remove the administrators ~/Library/Keychains folder, it will just get recreated on the first login after the change anyway.
There is also a bug in some Applications where they create a blank file in place of the Keychains folder which will generate errors on every login, the fix for this is to remove the file and replace it with an empty Keychains folder.
Both of the above will of course result in the loss of any saved passwords for the affected account.
Posted on 06-09-2016 10:20 AM
I've figured out how to fix the problem. In the Scope setting, I added a limitation for user account and added administrator.