Changing Active Directory password on command line

Contributor II

I'm in the process of putting together a script which is a sort of "all in one" thing for checking expiry and changing passwords. I know password changes can be done through the System Preferences GUI, but I was hoping on a method to do it via a script, as there's also some keychain tomfoolery that I want to include for proxy reasons.

I've looked around a bit - "smbpassword" doesn't exist anymore, and "dscl . passwd /Search/Users/$USER" gives me an "eDSAuthMethodNotSupported" error. This is on 10.8.5

Any clues you can throw my way?


Contributor II

Actually, after some more searching I've found that using:

dscl localhost passwd /Search/Users/$USER $oldPassword $newPassword

Seems to trigger it correctly (so I'm in the right direction), but it keeps coming back "eDSAuthPasswordQualityCheckFailed". For kicks, I tried changing it via the System Preferences GUI and it indeed thinks that I'm not meeting minimum requirements, which I most certainly am.

Has anyone seen this before?

New Contributor

Greetings Aaron,

I, out of curiosity, created a test account/profile and from another admin account was able to successfully run the above listed command via Terminal after elevating the permissions (sudo -s). Prior I also received an error. Not sure if this is of any assistance.


Release Candidate Programs Tester

Fwiw, I'm using the following, in ADPassMon v2:

This is AppleScript & bash.

do shell script "dscl . -passwd /Users/$USER " & enteredOldPassword & " " & enteredNewPassword

Full bash world be like:

do shell script dscl . -passwd /Users/$USER $enteredOldPassword $enteredNewPassword

Contributor II

I know I'm drudging up a fairly old topic, but @Aaron, did you ever come up with a solution for this? We're running into a similar problem in my district, as going through Users and Groups to change the password results in the same error about password minimum requirements, and dscl doesn't do the trick, either. Any input would be appreciated!

Contributor II

Mostly, it's because we have a minimum password age which I had forgotten about.

I also had an issue where I was doing a search against the local db (dscl . -read, or dscl localhost -read) which was sometimes returning wonky results. So I ended up doing:

SEARCHPATH=`dscl localhost -read /Search CSPSearchPath | grep -m 1 "Active" | sed 's/^ *//'`
result=$(dscl "$SEARCHPATH" passwd "/Users/$USER" "$CURPASSWORD" "$NEWPASSWORD")

There's a bunch of stuff in between, but that's the general gist of it.