joshua-d-miller/macOSLAPS

Setup on Big Sur

weighne opened this issue · 5 comments

I'm trying to get macOSLAPS running on a few macs running Big Sur (11.2.3).

Install works fine, all my default settings are applied through a script from our MDM, all the commands seem to run normally, except when I try to initiate LAPS to update the local admin password, I keep getting: "Unable to connect to local directory or change password. Exiting..."

I've tried a clean re-install setting everything up manually, but no luck there. I'm able to see the macbook in the LAPS UI, but it just has a placeholder password and the local admin password is still what was set manually.

Not sure at this point if it's just a Big Sur thing or an AD+Big Sur thing...

Any guidance is much appreciated (at this point I'd honestly be happy with a "doesn't work on Big Sur")

Experiencing exactly the same problem @weighne with Catalina "Info|Tue Apr 20, 2021 12:15:55 pm|macOSLAPS|The local admin: ****** has been detected to have a secureToken. Performing secure password change...
Error|Tue Apr 20, 2021 12:15:55 pm|macOSLAPS|Unable to connect to local directory or change password. Exiting..." Can you assist ?

If your local administrator has a secureToken which most if not all admin accounts created by an MDM do, then you will need to know the current password of that administrator user in order to perform the password change. You will need to set the FirstPass key to the password you are setting initially for the administrator account or as I like to call it a "burner" password so that the rotation can begin.

@joshua-d-miller I do have the FirstPass key set in the plist file. I double checked with a few fresh installs. I'm still getting the same errors though.

Info|Thu May 20, 2021 10:14:51 AM|macOSLAPS|Using Preferred Domain Controller [DC Name]...
Warning|Thu May 20, 2021 10:14:51 AM|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Error|Thu May 20, 2021 10:14:51 AM|macOSLAPS|Unable to test setting the current expiration time in Active Directory to the same value. Either the record is not writable or the domain controller is not writable.

@joshua-d-miller @kunlesam

Did a bit more fooling around with the plist file, I think my issue may have been related to setting the preferred DC or the "FirstPassword" key being labeled as "FirstPass"

After changing both of these, the local admin password successfully updated and the new LAPS password worked on my test machine.

@kunlesam @weighne I'm glad to hear that setting the FirstPass key and the PreferredDC key worked for you. It sounds like you have some RODC (Read-Only Domain Controllers) which kept you from being able to change the password. If this is still an issue please let me know but I'll go ahead and close this for now. Thanks for the feedback!