Changing admin password on all desktops

Kedgar
Contributor

Hello,

I'm sure this has been discussed at length before, but in your practice how
have you gone about changing the administration account password on each
desktop? We have a single local account on each machine that is used both
by Casper to manage the machine and for technicians to log into the
machines. I'm looking for what has worked well or what hasn't worked well
for you in your experience.

Thanks for all your suggestions,
Kenneth J. Edgar
Infrastructure Administrator - Apple

School Specialty
W6316 Design Drive
Greenville, WI 54912-1579
920-882-5949 Phone
920-475-3583 Mobile
920-266-1404 Google Voice
ken.edgar at schoolspecialty.com
<applewebdata://934D6F05-B7F7-4A19-95E2-B23696F3EE3A/ken.edgar@schoolspecial
ty.com> www.schoolspecialty.com

Helping educators engage and inspire
students of all ages and abilities to learn.

3 REPLIES 3

tlarkin
Honored Contributor

I agree with Jared. Have the Casper client randomize your ssh/managed password for your machines and if you must deploy a local account for internal IT use create a separate one you can nuke or mass change passwords on and it not be a huge deal. In fact I have three local admin accounts on every Mac in our 1 to 1. One is for Casper, which is random and no one knows, the second is for internal IT usage. It is hidden, and only the IT staff know about it, and the third is a local admin account used to grant non IT workers remote desktop access. If a director or executive wants remote access they get it, but this account is separate in case it gets compromised I can nuke it.

All my local admin accounts are under UID 500, their home is in /private/var and are totally hidden from the finder. I haven't had a password breach in a few years, and the last time we had one was because someone wrote a password down on a piece of paper. Since by design the local admin accounts that are on there can be easily nuked and the Casper management account is still fine and dandy.

-Tom

sean
Valued Contributor

I've not used it in anger, but:

Create manual policy > Accounts > Reset Password

Sean

jarednichols
Honored Contributor

Have a policy that spins the password to a random password at a given interval (daily/weekly/monthly). The only thing that will know the password is the JSS database and all of the passwords will be unique. Common passwords on networked machines is asking for trouble.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436