search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
384 stars 58 forks source link

Unable to use LAPS #12

Closed kadeemcallum closed 5 years ago

kadeemcallum commented 6 years ago

When running the "macoslaps" command in terminal I receive this error. Any suggestions as to how to fix or why this error is being given?

This is my first time trying to run the macosLAPS. Tried debugging but was unsuccessul and had the same results

Warning|Wed Jan 24, 2018 11:28:17 AM|macoslaps|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change... Info|Wed Jan 24, 2018 11:28:17 AM|macoslaps|Password Change is required as the LAPS password for admin has expired Warning|Wed Jan 24, 2018 11:28:18 AM|macoslaps|There was an error setting the password for this device... Warning|Wed Jan 24, 2018 11:28:18 AM|macoslaps|There was an error setting the new password expiration for this device... Info|Wed Jan 24, 2018 11:28:18 AM|macoslaps|Password change has been completed for local admin admin. New expiration date is Sun Mar 25, 2018 11:28:18 AM Debug|Wed Jan 24, 2018 11:28:18 AM|macoslaps|Keychain does not currently exist. This may be due to the fact that the user account has never been logged into and is only used for elevation...

joshua-d-miller commented 6 years ago

So what that looks like is your computer record does not have write access in Active Directory. Could you verify that the computer record can change things about itself in Active Directory?

joshua-d-miller commented 6 years ago

@kadeemcallum were you able to write the password to Active Directory after changing the computer attribute so it can write to itself in AD?

paulgab commented 6 years ago

Hi, I am experiencing the same issue kadeemcallum.

Warning|Thu Feb 15, 2018 09:06:35 am|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change... Info|Thu Feb 15, 2018 09:06:35 am|macOSLAPS|Password Change is required as the LAPS password for admin has expired

The Mac is running macOS 10.13.3 and is bound to 2012 R2 Windows Domain. The mac computer object is within the same OU as Windows 10 computers which have LAPS working, so the SELF permission is set correctly to write to the ms-Mcs-AdmPwd value.

I have macOSLAPS version 1.0.3 installed and attached is my .plist file. edu.psu.macoslaps.txt

Any ideas?

Thanks.

joshua-d-miller commented 6 years ago

@paulgab is your admin account actually called admin?

paulgab commented 6 years ago

No, the admin account is named differently. I didn’t want to reveal what we actually use.

On 9 Mar 2018, at 11:36 pm, Joshua D. Miller notifications@github.com wrote:

@paulgab is your admin account actually called admin?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

kadeemcallum commented 6 years ago

Thanks, the machine was changed added to AD and it was fixed

paulgab commented 6 years ago

@kadeemcallum did you just unbind and re-bind the same computer and then it started to work?