Skip to main content

We are a mix of Windows and MAC devices. The MACS are Domain joined. User logs in the first time connected to our wired ethernet in the office to create their account using their Active Directory information. Over time the user has a local password for the MAC login screen (the very first password they made) and an AD password which is different and needs to be changed every 120 days.


 


Scenario: User is on the log in screen trying to get in to their local account with invalid or forgotten password


 


Attempt: Using the recovery code the user gets to the screen where they reset their password however it always gives an authentication error in the end to complete the change. Seems like even though this is to reset the local account password it needs to be in communication with the domain server. User can reset password if they go back into the office and hook up to a wired connection.


 


Attempt2: Creating a policy to reset the local user account. Fails to send push to computer while computer is on login screen and on wired ethernet at home.


 


Any suggestions?


 


 

Not to sound like an unhelpful jerk, but the suggestion is to stop domain binding. The keychain breaking on domain bound devices is very common, and the FV recovery key workflow was not designed with mobile accounts in mind so it's flaky. Last I used this was years ago and the FV Recovery key reset process was able to reset the PW without issues, but permanently desynced the users account.


 


Using a policy to reset passwords won't work on Apple Silicon due to the users having Secure Tokens.


 


Look in to tools like Jamf Connect, Xcreds, or PSSO. Apple also makes a Kerberos SSO extension that can sync user passwords with AD on non-domain bound devices.

Following steps can really help make the password recovery process easier and less stressful for everyone!


Enable FileVault for recovery keys, allow Apple ID for password resets, create a local admin account for recovery, use a remote management tool like Jamf for remote support, set up a VPN for home access, check DNS settings for domain communication, and provide user training on password management.

If you're going to domain join your Mac's, my suggestion would be to use local accounts and something like the Kerberos SSO extension to sync your passwords. This has resolved 90% of the support tickets our Help Desk was getting for password related issues. My security team didnt listen to my arguments that we should stop binding our Mac's to the domain, but they at least allowed me to start using local accounts instead of domain/mobile. See if thats something you can do; there are ways to convert your current mobile accounts to local without losing any of their data.

Not to sound like an unhelpful jerk, but the suggestion is to stop domain binding. The keychain breaking on domain bound devices is very common, and the FV recovery key workflow was not designed with mobile accounts in mind so it's flaky. Last I used this was years ago and the FV Recovery key reset process was able to reset the PW without issues, but permanently desynced the users account.


 


Using a policy to reset passwords won't work on Apple Silicon due to the users having Secure Tokens.


 


Look in to tools like Jamf Connect, Xcreds, or PSSO. Apple also makes a Kerberos SSO extension that can sync user passwords with AD on non-domain bound devices.


Not unhelpful at all its just facts. Thank you that makes sense

If you're going to domain join your Mac's, my suggestion would be to use local accounts and something like the Kerberos SSO extension to sync your passwords. This has resolved 90% of the support tickets our Help Desk was getting for password related issues. My security team didnt listen to my arguments that we should stop binding our Mac's to the domain, but they at least allowed me to start using local accounts instead of domain/mobile. See if thats something you can do; there are ways to convert your current mobile accounts to local without losing any of their data.


Okay interesting. Yeah I am in the same boat so it sounds like I should look into the local account and kerberos SSO. Thank you

Reply


Terms & ConditionsCookie settings