joshua-d-miller / macoslaps Goto Github PK

Hi,

I'm having trouble with the swift version of macOSLAPS (python version works a treat).
I Installed the latest version of macOSLAPS and added plist config file to /Library/Preferences/edu.psu.macoslaps.plist
I keep getting this error in terminal as soon as I run "sudo /usr/local/laps/macOSLAPS"

fatal error: 'try!' expression unexpectedly raised an error: Foundation._GenericObjCError.nilError: file /Library/Caches/com.apple.xbs/Sources/swiftlang/swiftlang-802.0.53/src/swift/stdlib/public/core/ErrorType.swift, line 182 Current stack trace: 0 macOSLAPS 0x000000010ebe3990 swift_reportError + 129 1 macOSLAPS 0x000000010ec002a0 _swift_stdlib_reportFatalErrorInFile + 100 2 macOSLAPS 0x000000010e9603c0 (_assertionFailure(StaticString, String, file : StaticString, line : UInt, flags : UInt32) -> Never).(closure #1).(closure #1).(closure #1) + 124 3 macOSLAPS 0x000000010eba55d0 partial apply for (_assertionFailure(StaticString, String, file : StaticString, line : UInt, flags : UInt32) -> Never).(closure #1).(closure #1).(closure #1) + 93 4 macOSLAPS 0x000000010e95f0b0 specialized specialized StaticString.withUTF8Buffer<A> ((UnsafeBufferPointer<UInt8>) -> A) -> A + 342 5 macOSLAPS 0x000000010eba7710 partial apply for (_assertionFailure(StaticString, String, file : StaticString, line : UInt, flags : UInt32) -> Never).(closure #1).(closure #1) + 144 6 macOSLAPS 0x000000010e95fce0 specialized specialized String._withUnsafeBufferPointerToUTF8<A> ((UnsafeBufferPointer<UInt8>) throws -> A) throws -> A + 127 7 macOSLAPS 0x000000010eb69600 partial apply for (_assertionFailure(StaticString, String, file : StaticString, line : UInt, flags : UInt32) -> Never).(closure #1) + 185 8 macOSLAPS 0x000000010e95f0b0 specialized specialized StaticString.withUTF8Buffer<A> ((UnsafeBufferPointer<UInt8>) -> A) -> A + 342 9 macOSLAPS 0x000000010eb22b50 specialized _assertionFailure(StaticString, String, file : StaticString, line : UInt, flags : UInt32) -> Never + 144 10 macOSLAPS 0x000000010e9ade20 swift_unexpectedError_merged + 289 11 macOSLAPS 0x000000010e89d550 ad_tools(computer_record : [ODRecord], tool : String, password : String?, new_ad_exp_date : String?) -> String? + 3082 12 macOSLAPS 0x000000010e8999f0 macOSLAPS() -> () + 655 13 macOSLAPS 0x000000010e8999c0 main + 32 14 libdyld.dylib 0x00007fffbc9a6234 start + 1
Also there is no /Library/Logs/macOSLAPS.log file generated, I do find an error log in /Library/Logs/DiagnosticReports/ though, see attachment.

macOSLAPS_2017-08-22-115659_UW-C02FQ0NLDHJR.crash.zip

I've tried it on 10.11 and 10.12 and even did a fresh rebuild of 10.12 just to be sure I wasn't working on a damaged system. I've attached the config .plist as well incase that helps. Your assistance would be greatly appreciated.
edu.psu.macoslaps.plist.zip

Kind Regards
Craig

When trying to build with Xcode 8.3.3, I get the following error:

Any thoughts?

I've tried running macOSLAPS, the packaged version of the latest release, on a couple of test machines, both of which are bare installs of Sierra with all updates applied. Both are joined to AD, and /Library/Preferences/edu.psu.macoslaps.plist contains:

{
DaysTillExpiration = 1;
LocalAdminAccount = xxxxx;
}

When I try running /usr/local/laps/macOSLAPS, I get the following error:

Info|Mon Aug 14, 2017 02:57:15 PM|macOSLAPS|Password Change is required as the LAPS password for xxxxx has expired
Could not cast value of type 'NSTaggedPointerString' (0x7fff91b457e0) to 'NSNumber' (0x7fff91f00d80).
Abort trap: 6

The first line is repeated in /Library/Logs/macOSLAPS.log:

Info|Mon Aug 14, 2017 02:57:15 PM|macOSLAPS|Password Change is required as the LAPS password for xxxxx has expired

Any idea what could be causing this?

Will admit I haven't tried this, but looking at a LAPS option for our Macs. Given it sounds like the admin password is stored in the System keychain (so SecureToken works), I'm curious if this will work without the machine being bound to AD.

Apple's stated advice at this point is to NOT bind to AD in most cases, and we've found this solid advice (to prevent split brain situations). We intend to use NoMAD, but it sounds like that won't allow macOSLAPS to write to the computer record (since one won't exist). We'd then want to pull the LAPS password into a jamf EA (though I'll admit, not sure how you read the system keychain without a local admin password, and unsure how you'd read the new LAPS password if all you have in Jamf is the old one.

Thanks!

What is the process for uninstallation of the macOSLAPS�?

1. After I run macoslaps, it deletes the plist.
2. it seems to be not reading the plist.
3. it is stating "unable to connect to local directory. and the admin name is wrong even though I changed it in PLIST.

Not sure what I am doing wrong.

Thank you.

Hello

First things first I would like to thank you for this tool.
I have encountered issue.
I am trying to run it with Xcode with sudo privileges.
Settings in ConfigSettings.swift seems to be ok (at least same as AD Policies).
HDD is encrypted with FileVault.
macOS: 10.14.4
Admin account is created manually via GUI.
Password expire is set to 17.04.2019
When I build and run I am receiving Unable to connect to local directory or change password.
Before that there is: The local admin: <here_is_my_local_admin_account_name> has been detected to have a secureToken. Preforming secure password change...

However once I was successful and it almost worked. Password changed at AD but not in macOS.
What more when I was running it for first time, I was able to change password in AD via part of ad_tools function in ADTools.swift which sending test password Th1sIsN0tth3P@ssword but now it's not possible.

or you can use the package created using Packages to install. The package includes a Launch Daemon to run macOSLAPS every 90 minutes.

I cloned the repo but am not seeing the package. Am I missing something?

Hello,

this is not really an issue but I didn't know where to ask for help. I am trying to start to use your tool on my company Macbooks, but I can't find a way to change the admin account that will be managed, from "admin" to something else.
Sadly I don't have a MDM solution to generate a plist file either.

Please note that I am not very familiar to MacOS, so my question might be dumb, but still, I am strugging :)

I tried to manually edit the plist file with text editor but it says that I don't have sufficient permission to do any change, even if I am myself admin.

The most simple workaround I found was to create an "admin" account but we are used to use another account name. Also I think its best to use a less obvious account name for admin.

So this is not a big deal but for the sake of understanding how this work, any help would be appreciated.

Testing the new 1.0.4 pre-release which is working as expected when the DC is reachable, but when not (i.e. on my MacBook at home and I disconnect the VPN/disable Wi-Fi), it crashes with nothing written to /Library/Logs/macOSLAPS.log. The password for the local admin account is not changed, which is good.

Here's the output:

Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=com.apple.OpenDirectory Code=2100 "Connection failed to node '/Active Directory/UEL/uel.ac.uk'" UserInfo={NSLocalizedDescription=Connection failed to node '/Active Directory/UEL/uel.ac.uk', NSLocalizedFailureReason=Connection failed to the directory server.}: file /BuildRoot/Library/Caches/com.apple.xbs/Sources/swiftlang/swiftlang-900.0.74.1/src/swift/stdlib/public/core/ErrorType.swift, line 181 Illegal instruction: 4

And a crash report:

macOSLAPS_2018-03-15-095820_DLEB285-17096.crash.zip

Version 1.0.3 reports Error|Thu Mar 15, 2018 10:20:39 AM|macOSLAPS|Unable to connect to Active Directory under the same conditions.

Attempted to install on OS X Mojavi 10.14.6 installed with no issues, manually copied .plist to preferences folder. Application doesn't run.

There may be reasons to bind a computer to Active Directory but not use it for user authentication. For instance, you might be using LDAPv3 for user auth (or even just local accounts), but want to use an AD machine account for maintenance tasks that require network resources or credentials to connect to the wifi network. So you've removed AD from the Authentication Search Policy. If you do this, macOSLAPS does not work with error:

|macOSLAPS|Unable to connect to Active Directory

I think this is the related code:
https://github.com/joshua-d-miller/macOSLAPS/blob/master/macOSLAPS/ADTools.swift#L26-L36

The fact that it gets this far shows that it knows that it is bound to AD, but just the query is not returning any results. Is there some way to use ODQuery for nodes not in the search path? It's frustrating because I can just run dscl and navigate to Active Directory/MyDomain/All Domains/Computers and see all the computers just fine.

If I add Active Directory to the Authentication Search Policy, bam, everything works fine. But I can't use that as a solution because it interferes with LDAPv3 connections which we use because we're in a multi-forest arrangement and don't want to use Centrify or PowerBroker solutions.

I am currently having an issue with resetting the local admin password using this tool. I had the app working fine and the new password was written to AD and the local account was changed fine.

I uninstalled macosLaps as I wanted to push the tool through Munki. So I manually removed the items listed on another GitHub Issue and then reinstalled macosLaps. I also cleared the keys in the AD computer object and for good measure I change the admin password from the Random one back to my original one.

I have reinstalled macoslaps through Munki (I have also installed again through the standard package installer to avoid Munki issues) but I can no longer change the local admin password. The admin account is a secureToken account so I am using the FirstPass string, the THISISNOTAPASSWORD is written to AD so I know that part is working but all get is the below output:

Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|Password Change is required as the LAPS password for admin, has expired
Info|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|The local admin: admin has been detected to have a secureToken. Performing secure password change...
Error|Wed Aug 21, 2019 10:23:20 am|macOSLAPS|Unable to connect to local directory or change password. Exiting...

Any help appreciated.

Using macOS Mojave 10.14.6

Attempting to run macOSLAPS on Catalina does not seem to work for me. I'm on the latest version, but when it runs i see this in the console:
Security policy would not allow process: 9061, /usr/local/laps/macOSLAPS

From talking with Apple, they indicate that the program does not appear to be notarized:

Below are the log entries related to the presented dialog:

debug 2019-10-10 12:17:50.261861 -0400 amfid com.apple.securityd open(/usr/local/laps/macOSLAPS,0x0,0x1b6) = 3
debug 2019-10-10 12:17:50.261955 -0400 amfid com.apple.securityd open(/usr/local/laps/macOSLAPS,0x0,0x1b6) = 4
debug 2019-10-10 12:17:50.262115 -0400 amfid com.apple.securityd 88145 signing bytes in 5 blob(s) from /usr/local/laps/macOSLAPS(x86_64)
default 2019-10-10 12:17:50.277105 -0400 amfid /usr/local/laps/macOSLAPS signature not valid: -2147409652
debug 2019-10-10 12:17:50.277486 -0400 amfid com.apple.securityd open(/usr/local/laps/macOSLAPS,0x0,0x1b6) = 3
debug 2019-10-10 12:17:50.277542 -0400 amfid com.apple.securityd open(/usr/local/laps/macOSLAPS,0x0,0x1b6) = 4
debug 2019-10-10 12:17:50.277628 -0400 amfid com.apple.securityd 88145 signing bytes in 5 blob(s) from /usr/local/laps/macOSLAPS(x86_64)
default 2019-10-10 12:17:50.286793 -0400 kernel mac_vnode_check_signature: /usr/local/laps/macOSLAPS: code signature validation failed fatally: When validating /usr/local/laps/macOSLAPS:
The code contains a Team ID, but validating its signature failed.
Please check your system log.
default 2019-10-10 12:17:50.286835 -0400 kernel proc 26189: load code signature error 4 for file "macOSLAPS"
default 2019-10-10 12:17:50.287168 -0400 kernel Security policy would not allow process: 26189, /usr/local/laps/macOSLAPS

What we are seeing here is the software failing signature validation and securityd shutting it down. This triggered the notification that you received.

At this point it will be up to the developer to address this issue in order for the software to not be shut down by the OS, as they are the ones who can work to address signing issues with the software. They will most likely need to also submit the software for notarization. This will ensure compatibility with macOS Catalina.

Hi,

I have been trying to get this to work and it all works well when i run it manually but when i try to run it via a LaunchDemon i get this error:

Dec 7 21:27:42 *************** com.apple.xpc.launchd[1] (edu.psu.macoslaps-check[61937]): Service exited with abnormal code: 1

I am using the default provided .plist

I can't get macOSLAPS to change the password. When I manually run resetPassword I get this.

computername_here:laps xxx$ macOSLAPS -resetPassword
Info|Wed Nov 28, 2018 04:58:51 PM|macOSLAPS|Password Change is required as the LAPS password for macadminpasswordhere has expired
Error creating /Library/Logs/macOSLAPS.log
Error|Wed Nov 28, 2018 04:58:51 PM|macOSLAPS|There was an error setting the password for this device...

We're trying to troubleshoot using this with our AD laps, when we try to run as an admin OR as a root, it claims it is not being run as a root user.

Have started seeing the following crash when running the macOSLAPS binary:

$ macOSLAPS 
Killed: 9

A bit of further digging:

$ codesign -vvv /usr/local/laps/macOSLAPS
/usr/local/laps/macOSLAPS: CSSMERR_TP_CERT_REVOKED
In architecture: x86_64

Corroborated with @howlerwolf1313 on the MacAdmins Slack in the #macoslaps channel

This is with the current 1.1.1 release, build 223

I've been taking a look at this project, and I'm not sure if the error handling is adequate for such a sensitive operation. For example, what will be the result if the password update is attempted but the Computer AD object is not writable? It looks like this block at PWChange:22 where the real work takes place:

do {
    // Pull Local Administrator Record
    let local_node = try ODNode.init(session: ODSession.default(), type: UInt32(kODNodeTypeLocalNodes))
    let local_admin_change = try local_node.record(withRecordType: kODRecordTypeUsers, name: local_admin, attributes: nil)
    // Change the password for the account
    try local_admin_change.changePassword(nil, toPassword: password)
    // Set out nex expiration date in a variable x days from our
    // configuration variable
    let new_ad_exp_date = time_conversion(time_type: "windows", exp_time: nil, exp_days: exp_days) as! String
    // Format Expiration Date
    let print_exp_date = time_conversion(time_type: "epoch", exp_time: new_ad_exp_date, exp_days: nil) as! Date
    let formatted_new_exp_date = dateFormatter.string(from: print_exp_date)
    // Change the password in Active Directory
    _ = ad_tools(computer_record: computer_record, tool: "Set Password", password: password, new_ad_exp_date: new_ad_exp_date)
    laps_log.print("Password change has been completed for local admin " + local_admin + ". New expiration date is " + formatted_new_exp_date, .info)
} catch {
    laps_log.print("Unable to connect to local directory or change password. Exiting...", .error)
    exit(1)
}

As I read it, local_admin_change.changePassword() is called before any attempt is made to verify the AD Computer object can be written to, which only takes place in the call to ad_tools(computer_record: computer_record, tool: "Set Password", password: password, new_ad_exp_date: new_ad_exp_date). The message logged in the catch block suggests the operation would be aborted in case of an exception, but if the Computer record can't be updated, won't this in fact leave you with a new password on the local admin, which is not recorded anywhere?

I'm not particularly familiar with Swift, so apologies if there's something to the flow control I'm missing here. Or is this check performed earlier in another function? I see you can potentially exit(1) at ADTools:31 , but it seems this will just verify a record was found, not that it's writable.

Hello Joshua

We are in the process of setting up a proof of concept using your project.
In our environment the Jamf provisioning process creates the admin account we want to implement LAPS elsewhere and not in /Users/.
Having said that there are cases of manual setups where the same account is in /Users/.
I know we need to do some house keeping.

I would like to request a possible change in PWChange.swift where the home user path is dynamic.
As we do not have our environment ready for any testing I just changed the file but unable to test it, apologies for that.

The implementation would be:

line 41 remove > let local_admin_path = "/Users/" + local_admin + "/Library/Keychains"

   if keychain_remove == true {
        // get the local_admin home directory path (it can be elsewhere and not in /Users/
        let local_admin_home_path = NSHomeDirectoryForUser(local_admin)
        let local_admin_path = local_admin_home_path! + "/Library/Keychains"
        do {...

Could you have a look and consider this request, please?
Thank you
Mauricio

Before I begin, just want to say thanks for creating this, its awesome. Anyway, we've pushed out the current release (macOSLAPS 1.1.4 Build 230) via ARD to about 35 machines and on 4 of them when we send the unix command /usr/local/laps/macOSLAPS we're getting the message "Unable to connect to local directory or change password...". Two of them are running MacOS 10.14.6 and two of them are running 10.13.6. We're not using filevault on any of the machines but on one of the ones having the issue I went ahead and tried the command sudo defaults write /Library/Preferences/edu.psu.macoslaps FirstPass "tempadminpassword" and sudo killall cfprefsd to see if it would make any difference and it did not. I even unbound/re-bound that same Mac from the active directory but still no dice. Not sure how to proceed. Let me know if there's any additional info I can send you. Any help would be greatly appreciated.

Attempting to install macOSLAPS via provided package on Big Sur 11.4 but when invoked manually or automatic get the error that macOSLAPS with damage the machine. Looked in console logs and found 'Binary is improperly signed'. Did a codesign --verify --verbose on the binary and get 'CSSMERR_TP_CERT_REVOKED'. Can't tell if this is an issue one my end or not.

ADTools.swift line 21:

    let adDict = ad_info[0]! as? NSDictionary ?? nil

generates this error when run on a machine that isn't bound to AD

fatal error: unexpectedly found nil while unwrapping an Optional value
2017-08-03 19:48:57.508779+1000 macOSLAPS[60124:24091722] fatal error: unexpectedly found nil while unwrapping an Optional value

Wanted to see if this application is compatible with the Centrify MAC client that is used to bind a MAC to AD.

I assume not only because as I have the application installed but when I use macOSLAPS I get an error message of "Unable to connect to Active Directory" when my Centrify client shows that I am connected.

Mac Version: 10.13.6 (High Sierra)
MacOSLaps Version: 1.1.4

I created the plist file through my MDM, this has worked previously and i can confirm the contents of the file and its existance in the /Library/Preferences folder.

Upon running macOSLaps i get the generic error that the password cannot be changed, AD account is updated with the NOTAPASSWORD so i know that part works. However i have also noticed the plist file is deleted after i run macOSLaps for the first time on this mac.

I can't get macOSLAPS to change the password. When I manually run resetPassword I get this.

computername_here:laps xxx$ macOSLAPS -resetPassword
Info|Wed Nov 28, 2018 04:58:51 PM|macOSLAPS|Password Change is required as the LAPS password for macadminpasswordhere has expired
Error creating /Library/Logs/macOSLAPS.log
Error|Wed Nov 28, 2018 04:58:51 PM|macOSLAPS|There was an error setting the password for this device...

Successfully installed macOSLAPS and seeing successfully writing of random password in AD ms-Mcs-AdmPwd attribute. However the admin password is not being updated on the macbook locally.

Log stating "unable to connect to local directory or change password. Exiting.... "

bash-3.2$ sudo /usr/local/laps/macOSLAPS -resetPassword
Info|Wed Jan 16, 2019 12:00:33 PM|macOSLAPS|Password Change is required as the LAPS password for admin has expired
Info|Wed Jan 16, 2019 12:00:33 PM|macOSLAPS|Password change has been completed for local admin admin. New expiration date is Sun Mar 17, 2019 12:00:33 PM
Error|Wed Jan 16, 2019 12:00:33 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting...
bash-3.2$

What is the format of the .plist file? Just match syntax in ConfigSettings.swift? Example different local admin name with 1 day password expiry. We have the latest release package working fine. Just need to understand how to customize and if simply creating this file and placing at /Libary/Preferences/edu.psu.macoslaps.plist will get detected next time the daemon runs?

Also and advice for removing the Penn State branding?

When running the "macoslaps" command in terminal I receive this error.
Any suggestions as to how to fix or why this error is being given?

This is my first time trying to run the macosLAPS. Tried debugging but was unsuccessul and had the same results

Warning|Wed Jan 24, 2018 11:28:17 AM|macoslaps|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change... Info|Wed Jan 24, 2018 11:28:17 AM|macoslaps|Password Change is required as the LAPS password for admin has expired Warning|Wed Jan 24, 2018 11:28:18 AM|macoslaps|There was an error setting the password for this device... Warning|Wed Jan 24, 2018 11:28:18 AM|macoslaps|There was an error setting the new password expiration for this device... Info|Wed Jan 24, 2018 11:28:18 AM|macoslaps|Password change has been completed for local admin admin. New expiration date is Sun Mar 25, 2018 11:28:18 AM Debug|Wed Jan 24, 2018 11:28:18 AM|macoslaps|Keychain does not currently exist. This may be due to the fact that the user account has never been logged into and is only used for elevation...

I installed on a tester Mac and it did push the new password up to AD. No problem. I have MS-LAPS installed for the PCs. But FileVault retained the old password so I still have to enter that on boot up of the tester box.

I haven't been able to get it synced yet. Has anyone else had this problem?

So I deployed and built the package on our Jamf Infrastructure out to all of our endpoints.

All of the Mojave 10.14 machines run without issue.

I noticed today that none of the High Sierra 10.13 machines are checking in with passwords, I turned on debug logging in the plist, found this error..

dyld: Library not loaded: @rpath/libswiftAppKit.dylib
Referenced from: /usr/local/laps/macOSLAPS
Reason: image not found

Any help would be greatly appreciated.

Took me a while to figure out why copy pasting this path wasn't working.

Libary should be Library

These parameters are set in the location /Libary/Preferences/edu.psu.macoslaps.plist or you can use your MDM's Custom Settings to set these values.

macOS LAPS runs successfully for the first time and changes my local admin password and expiration time but when looking up the Mac in LAPS UI on Windows the password is blank. Expiration time correctly matches the output of the macoslaps command (ms-Mcs-AdmPwdExpirationTime) but ms-Mcs-AdmPwd is blank.

This is a copy of issue #33 but the user never posted a fix and I'm hoping someone can point me in the right direction. I do have limited control over my AD environment though.

Hi Joshua,

We are getting this error when macoslaps runs, and I think is because the offices our Macs are located in all have Read Only Domain controllers, is there a way to specify which domain controller to use?

Thanks.

I have MacOSLAPS version 1.1.1 installed on MacOS 10.14.4. I have installed via macOSLAPS-1.1.1.223.pkg file and created the attached edu.psu.macoslaps.plist file: edu.psu.macoslaps.txt

When running the command sudo macOSLAPS -resetPassword I receive the following output:

Info|Mon Apr 29, 2019 01:12:46 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Info|Mon Apr 29, 2019 01:12:46 PM|macOSLAPS|Password Change is required as the LAPS password for itslocaladmin, has expired
Illegal instruction: 4

The ms-Mcs-AdmPwd field in Active Directory is be updated to: Th1sIsN0tth3P@ssword

FileVault is not turned on and checking the log file, it contains the same as what is outputted to screen.

Will this work with NoMAD or does it require the machine to be bound to AD using the built-in plugin?

There isn't a whole lot of information other than the logs I have right now however when macOSLAPS runs on a 10.13.3 machine it does change the local admin password but never writes back to AD.

Info|Thu Feb 22, 2018 09:57:08 AM|macOSLAPS|Password Change is required as the LAPS password for admin has expired
Warning|Thu Feb 22, 2018 09:57:09 AM|macOSLAPS|There was an error setting the password for this device...
Warning|Thu Feb 22, 2018 09:57:09 AM|macOSLAPS|There was an error setting the new password expiration for this device...
Info|Thu Feb 22, 2018 09:57:09 AM|macOSLAPS|Password change has been completed for local admin admin. New expiration date is Mon Apr 23, 2018 09:57:09 AM
Info|Thu Feb 22, 2018 09:57:09 AM|macOSLAPS|Removing Keychain for local administrator account admin...

We don't have this issue on other versions of the OS on campus and have it running successfully on almost 1000 machines.

defaults write /Library/Preferences/edu.psu.macoslaps RemovePassChars -string []!~_“|<>,/{}^'
Is what I have set to not use those symbols. The problem is I think the ' is causing problems with the script.

I get this error.Line 4: unexpected EOF while looking for matching `''

Thanks for any help.

When running the command sudo macoslaps -resetpassword we get an error that states "administrator@C1MRP3FDDTY3 ~ % sudo macOSLAPS -resetpassword
Password:
Info|Tue Jun 08, 2021 02:05:26 PM|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|Tue Jun 08, 2021 02:05:27 PM|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|Tue Jun 08, 2021 02:05:27 PM|macOSLAPS|Password Change is required as the LAPS password for admin, has expired
Error|Tue Jun 08, 2021 02:05:27 PM|macOSLAPS|Unable to connect to local directory or change password. Exiting..."

as per the title - can we have a random password generated from a given set. It's not obvious (or easy) to say remove all non alphanumeric characters if, for example, it's determined that [a-z][1-9] is sufficient for requirements.

The idea here would be a seperate key from RemovePassChars, perhaps called LimitPassChars.

Hi Joshua,

I am trying to implement the macOSLAPS into my environment. Minor changes needed to be made to the source code to meet environment requirements.
Using the application Packages I am now trying to repackage the macOSLAPS application. Unfortunately the sudo macoslaps command receives this error: sudo: macoslaps: command not found.

Is there any way to fix this for implementation?
Attached is a screenshot of the package I created. It is not working from your source code
Thanks

I'm trying to get macOSLAPS running on a few macs running Big Sur (11.2.3).

Install works fine, all my default settings are applied through a script from our MDM, all the commands seem to run normally, except when I try to initiate LAPS to update the local admin password, I keep getting: "Unable to connect to local directory or change password. Exiting..."

I've tried a clean re-install setting everything up manually, but no luck there. I'm able to see the macbook in the LAPS UI, but it just has a placeholder password and the local admin password is still what was set manually.

Not sure at this point if it's just a Big Sur thing or an AD+Big Sur thing...

Any guidance is much appreciated (at this point I'd honestly be happy with a "doesn't work on Big Sur")

After installing the binary, there wasn't a plist file created in /Library/Preferences. I have no idea where the plist file needs to go. I've tried manually adding them to /Library/Preferences but the application won't read any of the settings. Any help would be appreciated.

Is it possible to have the application run around these intervals:
OnLoad/Startup=> ensures that the application will change the password once it installs rather then if the mac is awake at one of the 3 intervals.
Change the launchd to more of a service where it continuously runs in the background and works based on triggers. its more of a thought.

The issues i'm running into is that it doesn't set the laps password the moment it installs and there is too much of a gap where not all the devices would be awake during those specified time periods.

Clean install of High Sierra 10.13.6 (17G65)
macOSLAPS version: 1.1.6
Running macOSLAPS command I'm getting this error:

$ sudo /usr/local/laps/macOSLAPS
dyld: Library not loaded: @rpath/libswiftCore.dylib
Referenced from: /usr/local/laps/macOSLAPS
Reason: image not found
Abort trap: 6

macOSLAPS not actually doing anything...(I replaced the account name in the output)

Running it via the launch daemon did not produce any error but neither did it work.
launchctl kickstart -k -p system/edu.psu.macoslaps-check

Info|2021-07-01 09:23:26|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|2021-07-01 09:23:26|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|2021-07-01 09:23:26|macOSLAPS|Password Change is required as the LAPS password for , has expired
Info|2021-07-01 09:23:26|macOSLAPS|The local admin: has been detected to have a secureToken. Performing secure password change...
Info|2021-07-01 09:30:40|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|2021-07-01 09:30:40|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|2021-07-01 09:30:40|macOSLAPS|Password Change is required as the LAPS password for , has expired
Info|2021-07-01 09:30:40|macOSLAPS|The local admin: has been detected to have a secureToken. Performing secure password change...
Info|2021-07-01 09:49:46|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|2021-07-01 09:49:47|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|2021-07-01 09:49:47|macOSLAPS|Password Change is required as the LAPS password for , has expired
Info|2021-07-01 09:49:47|macOSLAPS|The local admin: has been detected to have a secureToken. Performing secure password change...

But I get and Error when running "macOSLAPS" as root from command line:

Info|2021-07-01 09:10:18|macOSLAPS|No Preferred Domain Controller Specified. Continuing...
Warning|2021-07-01 09:10:18|macOSLAPS|There has never been a random password generated for this device. Setting a default expiration date of 01/01/2001 in Active Directory to force a password change...
Info|2021-07-01 09:10:18|macOSLAPS|Password Change is required as the LAPS password for , has expired
Info|2021-07-01 09:10:18|macOSLAPS|The local admin: has been detected to have a secureToken. Performing secure password change...
2021-07-01 09:10:18.897 macOSLAPS[5583:62046] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'launch path not accessible'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff326b2627 __exceptionPreprocess + 250
1 libobjc.A.dylib 0x00007fff6b5925bf objc_exception_throw + 48
2 Foundation 0x00007fff34d75a4d -[NSConcreteTask launchWithDictionary:error:] + 5213
3 macOSLAPS 0x000000010e28f9c8 $s9macOSLAPS5ShellC3run10launchPath9argumentsS2S_SaySSGtFZ + 648
4 macOSLAPS 0x000000010e28d770 $s9macOSLAPS15KeychainServiceC12loadPassword7serviceSSSg_AFtSS_tFZ + 5760
5 macOSLAPS 0x000000010e298459 $s9macOSLAPS7ADToolsC15password_change15computer_recordySaySo8ODRecordCG_tFZ + 1177
6 macOSLAPS 0x000000010e283baa $s9macOSLAPSAAyyF + 9082
7 macOSLAPS 0x000000010e2809c4 main + 20
8 libdyld.dylib 0x00007fff6c73acc9 start + 1
9 ??? 0x0000000000000001 0x0 + 1
)
libc++abi.dylib: terminating with uncaught exception of type NSException
zsh: abort macOSLAPS

The reason: launch path not accessible made me think permission so I had a look at permission on the laps dir:
ls -las /usr/local/laps
0 drwxr-x-wx+ 4 root wheel 128 1 Jul 09:09 .
0 drwxr-xr-x 7 root wheel 224 1 Jul 08:55 ..
1264 -rwxr-xr-x 1 root wheel 645728 30 Jun 02:37 macOSLAPS
744 -rw-r--r-- 1 root wheel 378464 18 Jun 16:55 macOSLAPS-repair

macOSLAPS-repair didn't look right so I did:
chmod 755 /usr/local/laps/macOSLAPS-repair

and tried again and it worked.

So it looks like the pkg is not setting the right permissions on the files during installation.

Getting a successful install and run of MACOSLAPS, but when trying to find the computer in LAPS UI the password field is blank.

Is it possible to base64 encode or completely hide the password from the Profiles System Preference?

New feature request:

In instances when a mac has been re-built, macOSLAPS won't update the local admin account password if the expiry date stored in AD has not been reached yet. This means the password as stored in AD will not be in sync with what is actually on the machine. It would be hand to be able to run the tool with a switch to update the password at any time, specifically for re-builds (e.g. it could run after rebuild to re-sync the local password with what's in AD).

If I get the chance I'll take a look at the code and issue a PR - documenting here for feedback.

When run with the -resetPassword flag, it updates the pw on the AD but not locally.