joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
387 stars 58 forks source link

Unable to connect to local directory or change password #35

Closed eximo84 closed 5 years ago

eximo84 commented 5 years ago

I am currently having an issue with resetting the local admin password using this tool. I had the app working fine and the new password was written to AD and the local account was changed fine.

I uninstalled macosLaps as I wanted to push the tool through Munki. So I manually removed the items listed on another GitHub Issue and then reinstalled macosLaps. I also cleared the keys in the AD computer object and for good measure I change the admin password from the Random one back to my original one.

I have reinstalled macoslaps through Munki (I have also installed again through the standard package installer to avoid Munki issues) but I can no longer change the local admin password. The admin account is a secureToken account so I am using the FirstPass string, the THISISNOTAPASSWORD is written to AD so I know that part is working but all get is the below output:

Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|Password Change is required as the LAPS password for admin, has expired
Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|The local admin: admin has been detected to have a secureToken. Performing secure password change...
Error|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|Unable to connect to local directory or change password. Exiting...

Any help appreciated.

Using macOS Mojave 10.14.6

joshua-d-miller commented 5 years ago

Hi @eximo84 Is the LAPS account actually set to the -FirstPass option? If so, remove the System keychain item for macOSLAPS because if that key exists it will try that before using the -FirstPass option.

As for your other machines before you deploy. You can leave the system keychain item as it will be expired in AD I'm assuming so it will use that System Keychain item as the old password, write the new password to AD and then to the keychain item. We need the keychain item when it comes to secureToken.

Hope this was helpful!

eximo84 commented 5 years ago

@joshua-d-miller - thanks for the reply. I am not specifying -FirstPass when i run macOSLAPS. I didnt know that was an option?

Instead i have created the edu.psu.macoslaps.plist file in /Library/Preferences and have defined the FirstPass key and password in here. Not a great solution as its in plain text.

I will have a look at the keychain for macOSLAPS. Maybe that is why its getting stuck, if it works after clearing that i will update you here. I am only testing this at the moment and havent rolled anything out.

I will need to see if my other macs are using SecureToken admin password, i assume they are as they are all on Mojave.

joshua-d-miller commented 5 years ago

@eximo84 I was referring to the configuration profile entry. Basically, the logic in macOSLAPS is that if there isn't a keychain entry then it will look for the FirstPass key in the PLIST. If there is a keychain entry then it will try to use that as the old password. This only applies to admin accounts that have secureToken.

eximo84 commented 5 years ago

@joshua-d-miller I found a Keychain item for macOSLAPS under login, I have deleted that and tried to run the application again but I'm still getting the same problem. My FirstPass key is the same as my current admin password.

eximo84 commented 5 years ago

Ok, so the good old reboot seems to have fixed it. Went through fine once I had restarted. I will do more testing but I think we can close this. Thanks for the info.