If you use Active Directory Mobile Accounts with FileVault, password sync problems will be very familiar to you. I have good news, MacOS Mojave 10.14.4-10.14.6 can now sync AD Mobile Account password changes to FileVault when you don’t know the AD password. Apple added this new feature to macOS 10.14.4 for Mobile Accounts. In previous releases, you needed the old password to sync the password down to FileVault. Local Accounts has had this ability for years. Rich Trouton put together a great article on Resetting and Syncing FV2 Local account passwords. He mentions the methods are only for Local Accounts, NOT Mobile Accounts.
You forgot your AD password on 10.13.0-10.14.3
Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.
The only way to fix this was to have a SecureToken Admin on the system.
Do you have an admin support account that is FileVault/SecureToken enabled? Listed below are two methods to fix out of sync passwords.
1. fdesetup remove / re-add user
sudo fdesetup remove user userwhoforgotpass.
Then re-add the user by running
sudo fdesetup add user localadminuser -usertoadd userwhoforgotpass
What this would do is remove the user from the enabled FileVault user list, then add them back. The sync would happen when you are prompted for the new password when re-enabling the account for FileVault unlock.
2. Sysadminctl -secureTokenOff/On
You can also use sysadminctl. Start by turning off SecureToken and then turn it back on.
sysadminctl -secureTokenOff userwhoforgotpass -password – -adminUser localadmin -adminPassword –
Now turn SecureToken back on.
sysadminctl -secureTokenOn userwhoforgotpass -password – -adminUser localadmin -adminPassword –
The process of turning off SecureToken and then turning it back on will sync the password. Also note that you don’t have to run sysadminctl with sudo.
Problem is, some companies don’t want a FileVault enabled admin account on the system.
NOTE: diskutil apfs updatePreboot / – Does NOT sync the password!
Running diskutil apfs updatePreboot / does NOT sync the password from the OS to FileVault. If this worked in the past, it was only a coincidence. If you changed your AD password outside the Mac, password syncing to FileVault would sometimes take 2-3 restarts. This command is only really needed when you wanted to add a new FileVault user to the system. Running this command would then add the new user to the FileVault pre-boot window. You only had to run this command in 10.13. This was actually a bug and was fixed in 10.14. The new account will now automatically show up at the FV2 pre-boot window after creation.
Enter the 10.14.4 update.
I can’t file this under my previous article 3 undocumented macOS Mojave 10.14.4 Enterprise fixes. This fix was actually documented in the Enterprise Content article for 10.14.4. The problem is the wording is a little confusing, but does kind of make sense.
Reading the third line, it does seem to match our situation. If you forgot your AD password, you would have to continually unlock the Mac with the PRK. You would be forced to do this each time you turned on your Mac or restarted. Notice the wording, it does not say “Fixes”.
How to reset your AD mobile account password and have it sync to FileVault, when you don’t know the previous password.
You need to meet all of the following pre requisites.
- macOS Mojave 10.14.4 or newer.
- Active connection to Active Directory.
- Access to the PRK (Personal Recovery Key)
- You have the ability to change your password outside the Mac (2nd Mac, Windows PC, or Web Portal). Or the Help Desk can reset and issue you a temporary password which you can then use to set a new password at the loginwindow.
- FileVault Automatic Login enabled
Step 1. Boot Mac with the Personal Recovery Key.
Since you don’t know the previous password you can’t even get past the FileVault Unlock Screen. You will need access to the PRK. Click the user who needs their password reset. In the password line, you will now see a ? button. Click on it, you can now type in the Personal Recovery Key. Try this neat trick to get the Macs serial number. Click the ? a second time.
After booting the system with the Personal Recovery Key the process will stop at the login window. On 10.13.0-10.14.3 systems you are prompted to reset the password at the login window.
This feature is for Local Accounts Only. To change your AD Mobile Account password from the Mac you must give Active Directory the OLD password. You can only do this with System Preferences > Users & Groups > “Change Password” or dscl. As you can see above the interface does not have a box for Old Password.
10.14.4 will now show a new pop up for Mobile Accounts after booting with the PRK.
The Mac now realizes that you are trying to reset a Mobile Account Password. You will no longer see the Reset Password pop up. This is because AD requires that you enter in the OLD password. Since you don’t know it, you will not be able to reset your password. This is why macOS will not show you the password reset window anymore for mobile accounts. If you use the PRK from a Local Account you will get password reset window with password fields like you would normally expect.
Step 2. Reset the AD Password.
As noted above you for this to work you can reset your AD password one of two ways.
- Call the Help Desk and have them reset the password and then issue you a temporary password.
- Reset the password on a 2nd Mac, Windows PC, Web Portal etc.
Either way will work for the password change system to work.
If you called the Help Desk and had them reset your AD Password they can now give you a temporary password. Your account will be flagged “Password must be changed on next login“. Enter in your username and then type in the temporary password. Hit enter and you will now get a new pop up window.
Enter in your new password. Click Reset Password when ready. You will be greeted with the login keychain message. You will receive this message anytime you change the password outside the Mac. Click “Create New Keychain” and the Mac will continue to login.
Step 3. Restart to complete the FileVault sync.
You will need to restart at least one more time to complete the sync process.
On this next restart you will need to enter in the PRK ONE MORE TIME.
NOTE: I am still trying to figure out if having to use the PRK twice is a bug or not. I think it is because you don’t have to do this extra step with local accounts.
After you perform one last PRK boot, enter in the username and new password and you will be at the desktop once again. The process is now complete, you can restart to confirm. Use your new AD password to unlock the volume and the system will now auto boot you to the desktop.
Conclusion
This is my 3rd article on password fixes/improvements/problems in 10.14.4
macOS Mojave 10.14.4 update fixes AD Mobile Account/FileVault password change sync issue.
10.14.4 Update breaks local account password reset when using FileVault Recovery Key
MacAdmins who use Active Directory Mobile Accounts want a working password change system that functions seamlessly with FileVault. Now that we have a working native AD Plugin, will this stop the mass exodus to Local Accounts? Only time will tell.
