Posted on 03-17-2021 03:21 PM
Has anyone had this issue when changing our local admin password via Jamf in the Local Accounts payload and choose 'Reset' I get an error stating 'Error resetting the password for user'
I am using Jamf Pro 10.27
Tested on macOS High Sierra & Mojave, just keeps failing.
Has anyone else had this issue or have some sort of fix
Posted on 03-17-2021 09:53 PM
The only reason I can think of is if that account has a secure token and is the only account on the Mac that does. Some versions of the OS will protect the sole secure token holder from losing it, meaning you can't force-reset the password, only change it in a manner which retains the secure token (a method which requires the current password). Similarly, you wouldn't be able to delete that account.
Posted on 03-18-2021 02:16 AM
If you are familiar with scripting and are fine with handling the passwords in clear text in a script (wouldn’t recommend this) you could use "passwd" on the command line.
Posted on 03-18-2021 04:42 AM
This script works for us when we needed to change local admin password (secure token holder.)
sysadminctl -adminUser ADMINACCOUNTNAME -adminPassword CURRENTPASSWORD -resetPasswordFor ADMINACCOUNTNAME -newPassword NEWPASSWORD
Posted on 03-18-2021 05:42 AM
I just stumbled over this KB from Apple: https://support.apple.com/en-ie/HT208171
A bit outdated but provides three scriptable ways.
Posted on 03-18-2021 11:47 AM
I've gotten the error using reset password in a policy but we use a script like @SirSir mentioned and it works for us.
Posted on 05-19-2021 10:01 AM
Posted on 05-20-2021 09:19 AM
Posted on 06-25-2021 06:58 PM
I am looking for a similar solution. We have a local "admin" account on all of our machines. An analyst from our ServiceDesk gave out this password last week to assist with a login issue for an end user. We now need to reset this local account password on all machines. Utilizing the Local Accounts payload in policy results in the same error the original poster is seeing.
Is the only option to run the sysadminctl cmd and expose the old and new password in cleartext in some type of log?(or is that not a concern)?
Posted on 06-28-2021 08:44 AM
Right click Computer select Manage
On computer management window under System Tools go to Local Users and Groups and select Users
Right click on “Your User Name” and select properties
Clear (Uncheck) "User cannot change password">>Click apply ad Ok>>Exit Computer Management.
Posted on 08-31-2021 09:11 AM
I'm also having this issue. On enrollment, we set up a Local admin account with an initial password. Then when we move it to classroom or lab groups we want to change the password. Then we get the same error 'Error resetting the password for user'. The weird thing is this policy worked fine up until this week.
Posted on 08-31-2021 09:23 AM
I have see this happen in the GUI with a manual change. Big Sur M1 machines
Posted on 09-21-2021 09:39 AM
Using the above script from @sirsir I had to run it using the File and Processes section of a policy, this exceuted the script to run as root user. I had tried to run it as a script and kept running into a secure token issue, executing it as the root user worked perfectly!
Posted on 02-21-2022 07:01 AM
Thanks I was scratching my head on this one ! Works flowlessly now
Posted on 11-02-2021 02:22 PM
Same issue here. Remote M1 computers with Big Sur where we need to rotate some admin account password.
Anyone got it working via Jamf Pro policy > Local Accounts > Reset Account Password? I can not use solution where password is so simply visible
Posted on 12-09-2021 10:37 AM
Posted on 12-09-2021 10:41 AM
Anyone who has auditor-level access to JSS can review the policy and see that password? Same like use 12345
Posted on 05-05-2022 07:04 AM
Does anything in Jamf ever just work without having to go through some complicated scripts to accomplish what the UI cannot do? It is so frustrating! We are a small shop and went with Jamf for its perceived ease of use in meeting compliance requirements given we do not have IT Help desk resources. We cannot get a simple policy such as deploy a local admin account for assisting in pw resets to work. Account deploys fine, but the pw NEVER works! And we checked the pw policy requirements, we are following the parameters within our PW policy settings so that is not the issue. We've never been able to get this functionality to work. We are probably going to look for an alternative to Jamf; We spend more time troubleshooting this MDM solution than any other corporate/enterprise tool in our suite. This Local Admin account is just one of many challenges we've had with the tool. Following the Jamf help explicitly is not very "helpful" as evidence by the sheer volume of troubleshooting posts in this very forum.
Posted on 05-05-2022 07:31 AM
Yes its quiet terrible... Its more so an apple issue in my opinion with FileVault being whats stopping a lot of jamf policies.
I would advice you check out their github for most scripts. My director said no however there is a script that can be deployed via self service that allows admin elevation to a standard user for however long you set it to.
Posted on 11-21-2022 08:28 AM
Just ran into this issue as well and discovered it was b/c the local admin account on the Mac was listed as a FileVault 2 Enabled User in Jamf (as shown under the computer record > Inventory > Disk Encryption > FileVault 2 Enabled Users). We followed this technical paper to disable FV for our local admin account and then flushed our password change policy for that account (which leverages the Jamf payload instead of a script for changing the password to the local admin account), and it worked. Hope this helps!
11-21-2022 08:31 AM - edited 11-21-2022 11:50 AM
Thanks for the info. Just curious if after the pw change, were you able to remotely add that local admin account back to FV?
11-21-2022 11:41 AM - edited 11-21-2022 12:05 PM
I haven't tried, but I doubt we'll re-enable it since we have to update the password this way and it was only for a few of our Macs that had it enabled. We rarely use the local admin account to physically access Macs; we mainly use it for SSH as needed and we hide the account from users. However, we have an Enable Secure Token policy that we could run on the Mac if we wanted to enable it back. The following post has some info regarding the pros and cons: https://community.jamf.com/t5/jamf-pro/secure-token/m-p/251898
I also forgot to previously mention that I setup a Smart Computer Group as the scope using FileVault 2 User has <local admin account name>.