FileVault with AD mobile account issues

Question

FileVault with AD mobile account issues

So i have a hand full of Mac users. All Macs are set up for AD authentication. All Macs have FileVault enabled. Upon a restart/reboot, there are two log in prompts - the first one for FileVault, and the second one for system. When all is working well (right), the user can use their AD credentials for both, even after multiple AD password changes i think i am going on a year now, of changing passwords every month with no issues. BUT i have some users who are not as diligent as myself changing their AD passwords, and let them expire. When i get that all sorted out, they are no longer able to use their AD passwords with the first (fileVault) log in. There is a mixture of MacBook Pro and Pro Max, M2 and M3. All are running Sonoma, with patching up to date (but this still occurred under Ventura)

Is there way to fix this, and get both synced again? And as a side question, is there a way of breaking the link between them to test this?

MacBook Pro (M3, 2023)

Posted on Mar 11, 2024 6:53 AM

Reply

Answer 1

Mar 12, 2024 9:13 AM in response to MikeAtTheBank

I don't know how Filevault works with AD or even the newer 2018+ Macs, but with the older Macs where Filevault actually encrypted the drives, there was technically two passwords....one for Filevault and one for the macOS user account. macOS normally ties them together, but they can become broken at times requiring the user to log into macOS using two passwords. In those cases when I'm guessing a password was changed for the admin user account, it somehow broke the tie in between the user account & macOS. In those cases, I found that resetting the macOS user account password with the Privacy & Security System Preferences would reset the link between them (resetting the password using the reset feature under Users & Groups only affected the user account so Filevault was still separate & unlinked). It left the other macOS user accounts & links as is.

You may want to explore the Filevault command line utility "fdesetup" to see if it will allow you to relink the user account password with the Filevault password.

Reply