Skip to main content
Solved

Management Account Generated Passwords

  • November 25, 2015
  • 7 replies
  • 21 views
K
Forum|alt.badge.img+12

I have been using the same password for my management accounts for a couple of years. The windows desktops will soon be getting randomly assigned passwords that are accessible via Active Directory with a schema mod. What are the implications of setting the policy to generate the management password? Can I see the management password somewhere after it has been set? I'd assume this is generated on a per client basis?

I'm also looking at using filevault2 full disk encryption, does this password change policy mess with that at all?

Thank you,
Ken Edgar

Best answer by marklamont

from my CCA training recently I was told that the management account is only used for two things these days;
connecting and running things via Casper remote
changing disk encryption keys via policy

so not knowing the password is irrelevant, or should be anyway.

    7 replies

    H
    Forum|alt.badge.img+16
    • hkabik
    • Honored Contributor
    • November 25, 2015

    We're going a similar route here. From my testing, I have not found any way to retrieve the randomized password from the JSS.

    I did have to sure up my AD group access on the machine to ensure folks in our workstation admin group could still get in via ARD and SSH and have sudo privs (we had been using a local admin support account for this which is now a no-no). This is annoying because I was hoping to go the Enterprise Connect route and do away with AD binds, now I'm more or less stuck with it or we lose all non Casper Remote support access on the machines. No SSH would be devastating.

    FV2 really shouldn't be effected unless you were intending to have the management account be a FV2 user... which I really wouldn't advise anyway.

    M
    Forum|alt.badge.img+12
    • marklamont
    • Contributor
    • Answer
    • November 25, 2015

    from my CCA training recently I was told that the management account is only used for two things these days;
    connecting and running things via Casper remote
    changing disk encryption keys via policy

    so not knowing the password is irrelevant, or should be anyway.

      iJake
      Forum|alt.badge.img+23
      • iJake
      • Contributor
      • November 25, 2015

      It is not meant to be known when being randomized and should not be used as a local admin account by support.

        K
        Forum|alt.badge.img+12
        • Kedgar
        • Author
        • Contributor
        • November 25, 2015

        Ah, thanks... I was using the management account as the actual local administration account. I need to re-think that. In that case, randomizing the management account won't hurt anything. Has anyone found a way to randomize the local admin account credentials? This probably isn't as big of a deal, but I'd like to treat the OS X hosts similar to the Windows hosts in almost all respects to management style.

        Thanks everyone!

        donmontalvo
        Forum|alt.badge.img+36
        • donmontalvo
        • Hall of Fame
        • November 29, 2015

        Management Account != Local Admin Account

        (or shouldn't be)

        --https://donmontalvo.com
        davidacland
        Forum|alt.badge.img+18
        • davidacland
        • Valued Contributor
        • November 29, 2015

        The only catch with random passwords is if you want to re-enable management for a computer.

        I've had a few cases where the checkbox specifying to manage the computer is unticked (either a bug or user error). When you re-select it you need to know the password for the management account.

        donmontalvo
        Forum|alt.badge.img+36
        • donmontalvo
        • Hall of Fame
        • November 29, 2015

        Wow sounds like a bug? You'd think the last randomized password would be cached by JSS?

        --https://donmontalvo.com
        Terms & ConditionsCookie settingsAccessibility statement