If you're using a local admin account only as a way to give your users privilege escalation (without their regular account being in the 501 admin group), then who cares about keychain? If they do actually log into the console as local admin, they'll get a prompt to either update or create new keychain and just tell them to always create new.
If you create a policy that uses sysadminctl to change the password it will always create a new keychain. So if that's acceptable for your use case then you wouldn't have to worry about dealing with an out-of-sync keychain.
Here's an example I made with an interactive element, however you can trash that part and just hardcode whatever new password you want using a variable in your script. The base command is sysadminctl -adminUser adminUserHere -adminPassword adminPasswordHere -resetPasswordFor userToBeResetHere -newPassword newUserPasswordHere
Thanks for all the reply. I'll test them today and post back how it turned out.
Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account.
How did you accomplish this task?
Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account.
How did you accomplish this task?
Would love to get an answer on this as well. Need to set new password for the local admin account (IT use only) and also update the FileVault 2 password. Is there an easy terminal command I can set to run after the "Local Accounts" payload?
here are the script that change admin password:
!/bin/bash
UPDATE KEYCHAIN PASSWORD
username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")
Find the renamed keychains
renamed=""
for n in {1..9} ; do
long="Users/$username/Library/Keychains/login_renamed_$n.keychain-db"
short="login_renamed_$n.keychain-db"
echo "$long"
if [[ ! -f $long ]] ; then
echo "Above Keychain not Found"
else
renamed="$long"
short_renamed="$short"
echo "renamed set to Above Keychain"
fi
done
If the rename keychain isn't found then exit
if [[ -z "$renamed" ]] ; then
echo "Renamed keychain not found."
dialog="Old keychain not found."
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 1
fi
renamed=`echo ${renamed%???}`
Prompt use for current password
currentPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Please enter your Current account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)
previousPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Please enter your Previous account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)
Open the keychain to load it into keychain access
open "$renamed" &
sleep 2
close keychain access
killall Keychain Access
unlock the previous keychain
unlock_result=`expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain $short_renamed
expect "password to unlock $renamed"
send ${previousPass}
expect"`
if [[ "$unlock_result" == "The user name or passphrase you entered is not correct." ]] ; then
echo "Previous Password did not unlock keychain"
dialog="Previous Account password did not unlock the old keychain."
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 1
fi
If it gets this far the Previous Password is correct
change the password to the previous keychain
expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security set-keychain-password $short_renamed
expect "Old Password:"
send ${previousPass}
expect "New Password:"
send ${currentPass}
expect "Retype New Password:"
send ${currentPass}
expect"
Make a keychain archive on the users desktop
mkdir /Users/$username/Desktop/Keychain Archive
move the login keychain to the archive
mv /Users/$username/Library/Keychains/login.keychain-db /Users/$username/Desktop/Keychain Archive/login.keychain-db
copy the renamed keychain to the archive
cp /Users/$username/Library/Keychains/$short_renamed /Users/$username/Desktop/Keychain Archive/$short_renamed
wipe current keychain list
/bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s none
rename the renamed keychain to login
mv $renamed /Users/$username/Library/Keychains/login.keychain-db
add the login keychain to the list.
/bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s login.keychain-db
unlock keychain
expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain login.keychain-db
expect "password to unlock $renamed"
send ${currentPass}
expect"
set that keychain to the default keychain
result=$(/bin/launchctl asuser "$loggedInUID" sudo -iu "$username" security default-keychain -s "login.keychain-db")
if [[ -z $result ]] ; then
dialog="Updating Old Keychain is complete. Recommended to verify keychain looks correct then reboot the computer"
else
echo "$result"
dialog="$result"
fi
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 0
@DevidDecosta
Here is that script on my github lhttps://github.com/theadamcraig/jamf-scripts/blob/master/Update_keychain_password_v4.sh
This script doesn't update the password, it fixed the keychain issues after the password has been updated if the keychain password is not synced with the login password. (it specifically looks for a renamed keychain. so your keychain needs to break BEFORE that can fix it.)
I've made some updates to it as well to resolve a few edge case issues.
