Posted on 04-25-2022 11:21 PM
Hi,
I have the problem that for some time now password changes for the mobile account have not been working properly. The passwords are changed via the Active Directory and the password is also synced to the devices, but it is not changed completely. Instead of one password prompts upon login there are now two. The first one which accepts the old password and the a second one which accepts the new password. It seems that the first password unlocks the hardware and the second one the account. Before it was all done by the same password. Also I should mention that if I change the network password again, it will only affect the second password (that was the new one in the first place, the old password always stays.
Anyone have any experience with this?
Thanks for the help!
Posted on 04-26-2022 02:54 AM
Hey,
Yes we have that issue here as well - how do your passwords sync back to Active Directory? Are you using a VPN connection or are the users wired into a network which talks to AD?
Posted on 04-26-2022 03:08 AM
I have no idea on how the passwords sync back to the AD, I didnt even think that was necessary. I just took over from me predecessor, who did not really explain that much. How can I find this out?
Also it is a mix of VPN and wired Users, but the issue persist over both methods.
Posted on 04-26-2022 03:12 AM
In our case, our Active Directory is on-premise and our network relies on a VPN connection to talk back to AD as everyone is working from home still. If this VPN connection breaks during the change or sync back to Active Directory we notice the two password issue.
We have a few fixes, but it would be good to find out how your connection is established first. On a Mac when you open System Preferences, Users & Groups and then click Login Options does it show a Network Account Server connected here?
Posted on 04-26-2022 03:16 AM
This should not be the case because employees are to only change their password, when they are on premise, so an interruption of the VPN connection should not be the issue.
Yes, it does show a Network Account Server connected.
Posted on 04-26-2022 03:21 AM
Okay and the passwords, are they changed on the macOS devices through System Preferences?
It would be good to establish whether the devices are talking to this server - normally we open Terminal and run a ping to the server address to see what response is given.
Posted on 04-26-2022 06:18 AM
No, the passwords are change via a web service that interacts with the AD. Our organisation is a bit bigger, so this is the only way to change the password. Changing the password via System Preferences is disabled.
04-26-2022 06:24 AM - edited 04-26-2022 06:56 AM
Hmm okay, sorry to say I might be out of ideas here.
It could still be the connection between AD and the end user, although the password change goes through maybe the connection does not stay stable enough to sync back to the device. The issue with passwords syncs is one I hate - the main reason we're looking at jamf Connect.
Sorry I couldn't help anymore!
Posted on 04-26-2022 06:52 AM
Thanks for trying anyways. I still have an Apple Support Ticket open regarding this issue. If a solution comes up there I will post it here.
Posted on 06-13-2023 02:51 AM
Hello Andixon,
We have a similar problem in our organization and I would like to ask if you found the root cause for this and/or a fix ? Anything would be appreciated. Thanks
Posted on 06-13-2023 04:03 AM
Hi,
sorry to inform you that I have not found a solution for this. I think what happens is that the FileVault password can not be changed by an external service, after it has been set. So users that change their passwords have to live with the fact that they now have to put in two passwords.
I hope to some day migrate to Kerberos Single Sign on, I hope that resolves this issue permanently.
Posted on 10-24-2023 04:42 AM
Hi, did you ever resolve this issue? I have something similar running mac via jamf and azure ad . Jamf connect seems to have resolved it but still get some rare but annoying popups for some users asking for a new pword and no matter what we do.
Posted on 10-24-2023 04:53 AM
Hi, no not really. For the moment we just live with the problems, as there doesnt seem to be a solution. We will switch to Jamf Connect in the near future, this should resolve the issue.