+3Hello friends I'm trying to make a script to change the user password of about 200 machines and I'm not getting it, what I have so far and this
unset HISTFILE
dscl . -passwd /Users/username newpassword
security set-keychain-password -o oldpassword -p newpassword
Best answer by Quan_nong
Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy
payload to do this rather then creating a script
+5Hope this helps. I do this where I am
#!/bin/sh
password="your_NewPassword"
/usr/bin/dscl . passwd /Users/ladmin "$password"
status=$?
if [ $status == 0 ]; then
echo "Password was changed successfully."
elif [ $status != 0 ]; then
echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $statusFor the keychain its a bit wonky
#!/bin/sh
sudo security set-keychain-password -o oldpassword -p newpassword /users/test/Library/Keychains/login.keychainI use reference books when programming. I would buy this as it can help out
[https://www.amazon.com/Bash-Pocket-Reference-Power-Admins/dp/1491941596/ref=pd_bxgy_14_img_3?_encoding=UTF8&pd_rd_i=1491941596&pd_rd_r=PAXGK2FQESB2H0AKEH03&pd_rd_w=BSNgN&pd_rd_wg=XNJBS&psc=1&refRID=PAXGK2FQESB2H0AKEH03](link URL)
+8Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy
payload to do this rather then creating a script
+3Sorry for the delay to reply. I created a policy, the way Nong did and everything went well. Thanks Nong. Thanks Glover
+3Hi Christopher i tried out your shell script manually and it works on the bassis that you enter the old password. how can this be deployed across many machines via jamf
+9I've got the same question as @Giannini is there a way to use this via JAMF? Works great when run manually but it fails when run via JAMF trying to enter the old password
+2I am able to get the policy to work for High Sierra OS but not for Big Sur OS. Does anyone know if there is a difference with Big Sur?
+2@IreneGarcia - you may want to check out the post Posted: 12/6/2018 at 9:46 AM CST by LovelessinSEA in https://www.jamf.com/jamf-nation/discussions/30317/resetting-local-account-password-via-policy-is-sporadically-failing
For the reason mentioned in that post we can't use the policy to change our account password. I'm using an adaptation of ChristopherGlover's script, but had to add in a bit for the old password to get it to work. Also I strongly suggest encrypting any passwords in scripts with a salted passphrase So it ends up something like
#!/bin/bash
#set Parameter 4 as the username
#set Parameter 5 as your old password encrypted string
#set Parameter 6 as your new password encrypted string
oldpwsalt="<value of salt>"
newpwsalt="<value of salt>"
oldpassphrase="<value of passphrase>"
newpassphrase="<value of passphrase>"
/usr/bin/dscl . passwd /Users/$4 "$(echo "${5}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$oldpwsalt" -k "$oldpassphrase")" "$(echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$newpwsalt" -k "$newpassphrase")"
status=$?
if [ $status == 0 ]; then
echo "Password was changed successfully."
elif [ $status != 0 ]; then
echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $statusTo get all those values for the script above you have to run something like below where "password" old password and then run it again with the new password.
PASSWORD='password'
SALT=$(openssl rand -hex 8)
K=$(openssl rand -hex 12)
ENCRYPTED=$(echo "${PASSWORD}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
