Jamf Nation Community

If you are familiar with scripting and are fine with handling the passwords in clear text in a script (wouldn’t recommend this) you could use "passwd" on the command line.

This script works for us when we needed to change local admin password (secure token holder.)

sysadminctl -adminUser ADMINACCOUNTNAME -adminPassword CURRENTPASSWORD -resetPasswordFor ADMINACCOUNTNAME -newPassword NEWPASSWORD

I just stumbled over this KB from Apple: https://support.apple.com/en-ie/HT208171
A bit outdated but provides three scriptable ways.

I've gotten the error using reset password in a policy but we use a script like @SirSir mentioned and it works for us.

@sirsir Is this used via a jamf policy or are you doing this manually on each machine affected?

@tdilossi With a policy that executes the command.

I am looking for a similar solution. We have a local "admin" account on all of our machines. An analyst from our ServiceDesk gave out this password last week to assist with a login issue for an end user. We now need to reset this local account password on all machines. Utilizing the Local Accounts payload in policy results in the same error the original poster is seeing.

Is the only option to run the sysadminctl cmd and expose the old and new password in cleartext in some type of log?(or is that not a concern)?

Right click Computer select Manage
On computer management window under System Tools go to Local Users and Groups and select Users
Right click on “Your User Name” and select properties
Clear (Uncheck) "User cannot change password">>Click apply ad Ok>>Exit Computer Management.

I'm also having this issue. On enrollment, we set up a Local admin account with an initial password. Then when we move it to classroom or lab groups we want to change the password.  Then we get the same error 'Error resetting the password for user'. The weird thing is this policy worked fine up until this week.

I have see this happen in the GUI with a manual change. Big Sur M1 machines

Using the above script from @sirsir I had to run it using the File and Processes section of a policy, this exceuted the script to run as root user.  I had tried to run it as a script and kept running into a secure token issue, executing it as the root user worked perfectly!

Same issue here. Remote M1 computers with Big Sur where we need to rotate some admin account password. 

Anyone got it working via Jamf Pro policy > Local Accounts > Reset Account Password? I can not use solution where password is so simply visible 

I hate theres no easy solution for this but it seems like the @sirsir method is the best way.

Anyone who has auditor-level access to JSS can review the policy and see that password? Same like use 12345

Does anything in Jamf ever just work without having to go through some complicated scripts to accomplish what the UI cannot do? It is so frustrating! We are a small shop and went with Jamf for its perceived ease of use in meeting compliance requirements given we do not have IT Help desk resources. We cannot get a simple policy such as deploy a local admin account for assisting in pw resets to work. Account deploys fine, but the pw NEVER works!  And we checked the pw policy requirements, we are following the parameters within our PW policy settings so that is not the issue. We've never been able to get this functionality to work. We are probably going to look for an alternative to Jamf; We spend more time troubleshooting this MDM solution than any other corporate/enterprise tool in our suite. This Local Admin account is just one of many challenges we've had with the tool. Following the Jamf help explicitly is not very "helpful" as evidence by the sheer volume of troubleshooting posts in this very forum.

Just ran into this issue as well and discovered it was b/c the local admin account on the Mac was listed as a FileVault 2 Enabled User in Jamf (as shown under the computer record > Inventory > Disk Encryption > FileVault 2 Enabled Users).  We followed this technical paper to disable FV for our local admin account and then flushed our password change policy for that account (which leverages the Jamf payload instead of a script for changing the password to the local admin account), and it worked.  Hope this helps!

Thanks for the info. Just curious if after the pw change, were you able to remotely add that local admin account back to FV?

I haven't tried, but I doubt we'll re-enable it since we have to update the password this way and it was only for a few of our Macs that had it enabled.  We rarely use the local admin account to physically access Macs; we mainly use it for SSH as needed and we hide the account from users.  However, we have an Enable Secure Token policy that we could run on the Mac if we wanted to enable it back.  The following post has some info regarding the pros and cons: https://community.jamf.com/t5/jamf-pro/secure-token/m-p/251898

I also forgot to previously mention that I setup a Smart Computer Group as the scope using FileVault 2 User has <local admin account name>.