Allow non-admin users to change password

Karlhehr
New Contributor II

I have about 1400 machines (10.8.4) that I have setup for students with local accounts. I have set up a Config profile for the users. I have everything but profiles checked under Restrictions/Preferences. However, when a student logs in, they can go to Sys Prefs, they can click the change password button, but when they try and save their new password they get an error saying they need to be admins to change their passwords. Now, for night one of roll-out I had my staff circulate and enter admin credentials to assist in the password change. This is not an efficient way to handle things. What am I missing? How can I set the users so they can change their passwords?

4 REPLIES 4

Chris_Hafner
Valued Contributor II

I would imagine that you need to uncheck the "accounts" checkbox as well (under restrictions). Unfortunately I have no idea if this will solve your problem but it would make sense that any user restricted from the "accounts" preference pane will not be able to change their password.

tlarkin
Honored Contributor

Hey Karl,

I have a script I used at my old job to do this for local accounts that were locked down that ran through self service. However, I would suggest trying to payload a configuration profile that granted them access to change their passwords via System Preferences. Due to the fact my script prompts a user for their password change, and then stores it in memory it is not really a best practice when it comes to security. At the same time, this was for a K-12 public school system, so it wasn't like I was dealing with fully encrypted hard drives, and data access was really the only thing I had to worry about, i.e. ensure I can access the data of student's and teacher's work in case I had to recovery or transfer it.

That being said, I would recommend using the built in tools in configuration profiles to grant users access to the Users and Groups Preference Pane in System Preferences so they can reset their own passwords. If this is not an option I could post that script I wrote, but you would have to test it out, and see what it breaks if anything. The script has one other flaw, it cannot change the login.keychain for that user, so when it ran it deleted it. So any service that the user may use that requires access to their login.keychain it could feasibly break it.

Let me know if this helped at all, and that if a configuration profile works for allowing users to access the Users & Groups Preference Pane.

Thanks,
Tom

technicholas
Contributor

I just let our user go to Security and Privacy to allow them to change their password. That works well if you don't want your users to see your other user accounts on the computer.

mm2270
Legendary Contributor III

Hmm, maybe I'm just misreading it, but I took Karl's original post to mean he has enabled all Preference Panes except Profiles in System Preferences, while it seems everyone posting here seems to be under the opposite impression. He stated "I have set up a Config profile for the users. I have everything but profiles checked under Restrictions/Preferences." Looking at Profiles and Restrictions, anything checked there is enabled, not disabled. If that's the case, it doesn;t make much sense that users can't change their own password in the Users & Groups pane.

@Karl, have you tried removing the profile from one of the Macs as a test to see if it allows changing the password. I'd be curious to hear if the profile is actually what's preventing this from happening, or if its something else unrelated.