Help

Management Account Generated Passwords

Go to solution
Kedgar
Contributor

Posted on ‎11-25-2015 11:33 AM

I have been using the same password for my management accounts for a couple of years. The windows desktops will soon be getting randomly assigned passwords that are accessible via Active Directory with a schema mod. What are the implications of setting the policy to generate the management password? Can I see the management password somewhere after it has been set? I'd assume this is generated on a per client basis?

I'm also looking at using filevault2 full disk encryption, does this password change policy mess with that at all?

Thank you,
Ken Edgar

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
marklamont
Contributor III

Posted on ‎11-25-2015 12:36 PM

from my CCA training recently I was told that the management account is only used for two things these days;
connecting and running things via Casper remote
changing disk encryption keys via policy

so not knowing the password is irrelevant, or should be anyway.

View solution in original post

Reply
7 REPLIES 7

Go to solution
hkabik
Valued Contributor

Posted on ‎11-25-2015 11:59 AM

We're going a similar route here. From my testing, I have not found any way to retrieve the randomized password from the JSS.

I did have to sure up my AD group access on the machine to ensure folks in our workstation admin group could still get in via ARD and SSH and have sudo privs (we had been using a local admin support account for this which is now a no-no). This is annoying because I was hoping to go the Enterprise Connect route and do away with AD binds, now I'm more or less stuck with it or we lose all non Casper Remote support access on the machines. No SSH would be devastating.

FV2 really shouldn't be effected unless you were intending to have the management account be a FV2 user... which I really wouldn't advise anyway.

0 Kudos
Reply

Go to solution
marklamont
Contributor III

Posted on ‎11-25-2015 12:36 PM

from my CCA training recently I was told that the management account is only used for two things these days;
connecting and running things via Casper remote
changing disk encryption keys via policy

so not knowing the password is irrelevant, or should be anyway.

Reply

Go to solution
iJake
Valued Contributor

Posted on ‎11-25-2015 12:42 PM

It is not meant to be known when being randomized and should not be used as a local admin account by support.

Reply

Go to solution
Kedgar
Contributor

Posted on ‎11-25-2015 01:49 PM

Ah, thanks... I was using the management account as the actual local administration account. I need to re-think that. In that case, randomizing the management account won't hurt anything. Has anyone found a way to randomize the local admin account credentials? This probably isn't as big of a deal, but I'd like to treat the OS X hosts similar to the Windows hosts in almost all respects to management style.

Thanks everyone!

0 Kudos
Reply

Go to solution
donmontalvo
Esteemed Contributor III

Posted on ‎11-29-2015 09:50 AM

Management Account != Local Admin Account

(or shouldn't be)

--
https://donmontalvo.com
0 Kudos
Reply

Go to solution
davidacland
Honored Contributor II

Posted on ‎11-29-2015 12:01 PM

The only catch with random passwords is if you want to re-enable management for a computer.

I've had a few cases where the checkbox specifying to manage the computer is unticked (either a bug or user error). When you re-select it you need to know the password for the management account.

0 Kudos
Reply

Go to solution
donmontalvo
Esteemed Contributor III

Posted on ‎11-29-2015 12:18 PM

Wow sounds like a bug? You'd think the last randomized password would be cached by JSS?

--
https://donmontalvo.com
0 Kudos
Reply