resetpassword Authentication Server could not be contacted

k3vmo
Contributor

Catalina 10.15.7 bound to AD.
Local admin the second account which is a user with admin privileges - isn't able to log in after attempting to reset the password.

Did a force unbind the system
Booted to recovery (tested with WiFi on and off)
From Terminal - resetpassword. Using the password recovery tool I'm unable to set that second account password because it says 'authentication server could not be contacted'

A bit confused as to why it even attempts that if the bind to AD isn't there anymore. Removing & re-adding the account is a nuclear option I can't use just yet.

I see posts with this error using dsconfigad and attempting to bind but I haven't found a solution for when in recovery mode

7 REPLIES 7

joshuasee
Contributor III

Is the second account a directory service user? Cached account directory service accounts are marked as having remotely administered passwords, even if the binding is gone. As a result, local password tools, including resetpassword, won't touch them for fear of creating an inconsistency with the directory service.

k3vmo
Contributor

@joshuasee That's what I was afraid of - Is the cached directory info something you can purge?

JoshoForShort
New Contributor

We're in the same boat at the moment.
@k3vmo did you manage to get it resolved, or did you proceed with nuking the account?

user-BQxTPslGSS
New Contributor

In the network applet in sys Prefs highlight you WiFi card connection and click the Advanced button, then go to the 802.1x tab and see if anything is listed. If there is Delete it. If not the back on the network page click the Location and set a New location.

k3vmo
Contributor

It's possible it could have been as simple as his note above - however, _
I had to issue a decrypt File Vault from Jamf - I then ran Rich Trouton's script - https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_...

AFTER BACKING UP

I still couldn't change the password under the recovery partition so as the last attempt - I logged into the local admin account.
I copied the UID of the user account - I then deleted their account and selected to KEEP HOME FOLDER AS-IS

I then created a new account - and right-clicked on it to Advanced Options. I set the UID to the same as the account I removed - then pointed it to the existing home directory -- the key here is that when you create the new account - the username of the account has to be identical to the home directory name.

Rebooted and logged in with the new user (which matched the old home directory name) and new password I set and was able to get to the files.

Granted - I didn't document what security updates this had so your mileage may vary. This by no means was an official fix. I think I got lucky.

user-KKwmGBmzZi
New Contributor

Hi @k3vmo I am having the same problem and when I go to delete the user account there is no option to save the home folder, any advice on this one?

Thanks,

Matthew

k3vmo
Contributor

@user-KKwmGBmzZi What OS? Are you removing it via Users & Groups in System preferences? Options like dscl from the command line won't keep it by default unless you add other options in the command.