macOSLAPS
macOSLAPS copied to clipboard
joshua-d-miller
Unable to change password for local administrator <USER> using FirstPassword Key
going from 1.1.6.274 to the latest version. I want to switch from AD to Local. I updated my configuration profile to set Method = Local, installed the latest version, then ran sudo /usr/local/laps/macOSLAPS -resetPassword. But i got the error shown in the subject line and don't get any file written to /var/root/Library/Application\ Support/macOSLAPS-password. Is there something i need to do to transition from AD to Local? A FirstPassword key was set in the configuration profile, but i removed it to see if that helped (it didn't)
So once the password is reset you actually need to run sudo /usr/local/laps/macOSLAPS -getPassword to write the file with the password that jamf can pickup. The -resetPassword tag will only perform a password reset.
hi @joshua-d-miller , i just tried that but get the output below. the password file still doesn't get written locally, but it does get written to AD:
% sudo /usr/local/laps/macOSLAPS -resetPassword Info|Tue Nov 23, 2021 11:37:59 AM|macOSLAPS|No Preferred Domain Controller Specified. Continuing... Info|Tue Nov 23, 2021 11:38:00 AM|macOSLAPS|Password Change is required as the LAPS password for emr, has expired Info|Tue Nov 23, 2021 11:38:00 AM|macOSLAPS|The local admin: emr has been detected to have a secureToken. Performing secure password change... Info|Tue Nov 23, 2021 11:38:02 AM|macOSLAPS|Password change has been completed for the local admin emr. New expiration date is Thu Dec 23, 2021 11:38:00 AM Info|Tue Nov 23, 2021 11:38:02 AM|macOSLAPS|Keychain does not currently exist. This may be due to the fact that the user account has never been logged into and is only used for elevation...
% sudo /usr/local/laps/macOSLAPS -getPassword
Info|Tue Nov 23, 2021 11:38:20 AM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Info|Tue Nov 23, 2021 11:38:20 AM|macOSLAPS|Password change is not required as the password for emr does not expire until Thu Dec 23, 2021 11:38:00 AM
The profile pointing to local is set in jamf, scoped to my system, and i see it show up in System Preferences > Profiles. So not sure why it's still writing to AD.
Hi @jeolsen,
You might to verify on your system that there isn't a /Library/Preferences/edu.psu.macoslaps.plist file that might be taking precendence. Should be
<key>Method</key>
<string>Local</string>
Let me know what you find out.
Hi @joshua-d-miller . I do have 2. /Library/Managed Preferences/edu.psu.macoslaps.plist /Library/Managed Preferences/MYID/edu.psu.macoslaps.plist
Those are there due to the Jamf Configuration Profile. Looking at the settings in each, both are set to Method=Local
Hello @jeolsen,
You also might want to make sure your Local is a String value as if the value cannot be read then the default will be used which is AD.
Hi @joshua-d-miller , i do currently have this as a string value:
<key>Method</key>
<string>Local</string>
@jeolsen
Sorry for the delayed response. I'm curious how you made out with this issue. The behavior you noted above in Managed Preferences is correct but I'm curious if you happen to have an edu.psu.macoslaps in /Library/Preferences as well on that system?
Thanks!
Hi @joshua-d-miller , i haven't made any progress on it since the last message. I don't have /Library/Preferences/edu.psu.macoslap(s.plist)
The only copy on my system is "/Library/Managed Preferences/edu.psu.macoslaps.plist" and "/Library/Managed Preferences/<USERID>/edu.psu.macoslaps.plist". Both are identical however.
Maybe we could troubleshoot at some point and determine the cause of why this isn't working for you. Are you on the MacAdmins Slack? We have a channel and we can definitely assist you with determining the cause. You can sign up free here: https://macadmins.org and our channel is #macoslaps. You can of course DM me as I'm @JMiller.
I believe we may have troubleshot this on the MacAdmins Slack. If you are still having issues please use let me know. Closing due to inactivity.