- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 06:47 PM
Hello friends I'm trying to make a script to change the user password of about 200 machines and I'm not getting it, what I have so far and this
!/bin/bash
unset HISTFILE
dscl . -passwd /Users/username newpassword
security set-keychain-password -o oldpassword -p newpassword
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2018 05:51 AM
Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy payload to do this rather then creating a script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 09:39 PM
Hope this helps. I do this where I am
#!/bin/sh
password="your_NewPassword"
/usr/bin/dscl . passwd /Users/ladmin "$password"
status=$?
if [ $status == 0 ]; then
echo "Password was changed successfully."
elif [ $status != 0 ]; then
echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $status
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 09:41 PM
For the keychain its a bit wonky
#!/bin/sh
sudo security set-keychain-password -o oldpassword -p newpassword /users/test/Library/Keychains/login.keychain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 09:42 PM
I use reference books when programming. I would buy this as it can help out
[https://www.amazon.com/Bash-Pocket-Reference-Power-Admins/dp/1491941596/ref=pd_bxgy_14_img_3?_encoding=UTF8&pd_rd_i=1491941596&pd_rd_r=PAXGK2FQESB2H0AKEH03&pd_rd_w=BSNgN&pd_rd_wg=XNJBS&psc=1&refRID=PAXGK2FQESB2H0AKEH03](link URL)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2018 05:51 AM
Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy payload to do this rather then creating a script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-06-2018 04:17 AM
Sorry for the delay to reply. I created a policy, the way Nong did and everything went well. Thanks Nong. Thanks Glover
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-03-2020 06:51 AM
Hi Christopher i tried out your shell script manually and it works on the bassis that you enter the old password. how can this be deployed across many machines via jamf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2020 07:14 AM
I've got the same question as @Giannini is there a way to use this via JAMF? Works great when run manually but it fails when run via JAMF trying to enter the old password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2020 09:14 AM
Putting the admin password in a script does not sound like a good idea.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-03-2021 06:28 AM
I am able to get the policy to work for High Sierra OS but not for Big Sur OS. Does anyone know if there is a difference with Big Sur?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2021 05:18 PM
@IreneGarcia - you may want to check out the post Posted: 12/6/2018 at 9:46 AM CST by LovelessinSEA in https://www.jamf.com/jamf-nation/discussions/30317/resetting-local-account-password-via-policy-is-sporadically-failing
For the reason mentioned in that post we can't use the policy to change our account password. I'm using an adaptation of ChristopherGlover's script, but had to add in a bit for the old password to get it to work. Also I strongly suggest encrypting any passwords in scripts with a salted passphrase So it ends up something like
#!/bin/bash
#set Parameter 4 as the username
#set Parameter 5 as your old password encrypted string
#set Parameter 6 as your new password encrypted string
oldpwsalt="<value of salt>"
newpwsalt="<value of salt>"
oldpassphrase="<value of passphrase>"
newpassphrase="<value of passphrase>"
/usr/bin/dscl . passwd /Users/$4 "$(echo "${5}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$oldpwsalt" -k "$oldpassphrase")" "$(echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$newpwsalt" -k "$newpassphrase")"
status=$?
if [ $status == 0 ]; then
echo "Password was changed successfully."
elif [ $status != 0 ]; then
echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $status
To get all those values for the script above you have to run something like below where "password" old password and then run it again with the new password.
PASSWORD='password'
SALT=$(openssl rand -hex 8)
K=$(openssl rand -hex 12)
ENCRYPTED=$(echo "${PASSWORD}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"