After a
password change on 10.12 or 10.13 Macs that are FV2 enabled, the user’s FV2
password gets out-of-sync with their Keychain password. On restart, the user can only log into the
computer using their old password. The
problem exists regardless of whether or not the machine is bound or using
Enterprise Connect.
You will need to delete and re-add the account but
without actually removing any data.
·
Delete
the user’s existing account (Loss of user data can
occur if not followed exactly)
o
Open
System Preferences/Users & Groups
o
Unlock
preferences by clicking on the lock icon and entering the local admin password
when prompted
o
Highlight
the existing user’s account and click on the minus button below “Login Options”
o
Make
sure you choose the option Don’t change
the home folder
Once you have confirmed, click the Delete User button
Rename user folder and apply permissions
·
Go
to /Users and find the home
directory of the user you deleted. It will have (Deleted) after the folder name.
·
Rename
the folder to first.last (use the IPG AD account name)
·
Open
Terminal
·
Type
the following command to change ownership of the user’s home directory:
sudo chown –R
first.last:staff /Users/first.last
·
Example: sudo chown –R mark.lewis:staff /Users/tom.jones
·
Wait
until you receive the prompt again. If you see some errors, it is okay.
·
Restart
and log in as the local admin
·
Open
Terminal and type, “fdesetup ad -usertoadd [user name]”
·
Enter
the user’s password when prompted
·
Restart
·
Log
in as the user
·
You
should be prompted to create a new
Secure Token: make sure you do this! If
you don’t, FV2 will fail on the user’s account.
Note: I found out the hard way that the Secure Token screen
vanishes after about 30 seconds. If this
happens to you, you will have to associate the Secure Token manually via
Terminal. For full details, see this
page: