Changing the adm password by script

angelofilho33
New Contributor II

Hello friends I'm trying to make a script to change the user password of about 200 machines and I'm not getting it, what I have so far and this

!/bin/bash

unset HISTFILE
dscl . -passwd /Users/username newpassword
security set-keychain-password -o oldpassword -p newpassword

1 ACCEPTED SOLUTION

Quan_nong
Contributor

Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policybdbe8b707a1d48e8a0f2cc668950a78d payload to do this rather then creating a script

View solution in original post

10 REPLIES 10

ChristopherGlov
New Contributor III

Hope this helps. I do this where I am

#!/bin/sh

password="your_NewPassword"



/usr/bin/dscl . passwd /Users/ladmin "$password"

status=$?



if [ $status == 0 ]; then

echo "Password was changed successfully."

elif [ $status != 0 ]; then

echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."

fi



exit $status

ChristopherGlov
New Contributor III

For the keychain its a bit wonky

#!/bin/sh

sudo security set-keychain-password -o oldpassword -p newpassword /users/test/Library/Keychains/login.keychain

ChristopherGlov
New Contributor III

I use reference books when programming. I would buy this as it can help out

[https://www.amazon.com/Bash-Pocket-Reference-Power-Admins/dp/1491941596/ref=pd_bxgy_14_img_3?_encoding=UTF8&pd_rd_i=1491941596&pd_rd_r=PAXGK2FQESB2H0AKEH03&pd_rd_w=BSNgN&pd_rd_wg=XNJBS&psc=1&refRID=PAXGK2FQESB2H0AKEH03](link URL)

Quan_nong
Contributor

Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policybdbe8b707a1d48e8a0f2cc668950a78d payload to do this rather then creating a script

angelofilho33
New Contributor II

Sorry for the delay to reply. I created a policy, the way Nong did and everything went well. Thanks Nong. Thanks Glover

Giannini
New Contributor II

Hi Christopher i tried out your shell script manually and it works on the bassis that you enter the old password. how can this be deployed across many machines via jamf

jamiesmithJAX
New Contributor III

I've got the same question as @Giannini is there a way to use this via JAMF? Works great when run manually but it fails when run via JAMF trying to enter the old password

mschroder
Valued Contributor

Putting the admin password in a script does not sound like a good idea.

IreneGarcia
New Contributor

I am able to get the policy to work for High Sierra OS but not for Big Sur OS. Does anyone know if there is a difference with Big Sur?

chris_fast
New Contributor II

@IreneGarcia - you may want to check out the post Posted: 12/6/2018 at 9:46 AM CST by LovelessinSEA in https://www.jamf.com/jamf-nation/discussions/30317/resetting-local-account-password-via-policy-is-sporadically-failing

For the reason mentioned in that post we can't use the policy to change our account password. I'm using an adaptation of ChristopherGlover's script, but had to add in a bit for the old password to get it to work. Also I strongly suggest encrypting any passwords in scripts with a salted passphrase So it ends up something like

#!/bin/bash
#set Parameter 4 as the username
#set Parameter 5 as your old password encrypted string
#set Parameter 6 as your new password encrypted string
oldpwsalt="<value of salt>"
newpwsalt="<value of salt>"
oldpassphrase="<value of passphrase>"
newpassphrase="<value of passphrase>"
/usr/bin/dscl . passwd /Users/$4 "$(echo "${5}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$oldpwsalt" -k "$oldpassphrase")" "$(echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$newpwsalt" -k "$newpassphrase")"
status=$?
if [ $status == 0 ]; then
     echo "Password was changed successfully."
elif [ $status != 0 ]; then
     echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $status

To get all those values for the script above you have to run something like below where "password" old password and then run it again with the new password.

PASSWORD='password'
SALT=$(openssl rand -hex 8)
K=$(openssl rand -hex 12)
ENCRYPTED=$(echo "${PASSWORD}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"