Skip to main content
Solved

Changing the adm password by script


Forum|alt.badge.img+3

Hello friends I'm trying to make a script to change the user password of about 200 machines and I'm not getting it, what I have so far and this

!/bin/bash

unset HISTFILE
dscl . -passwd /Users/username newpassword
security set-keychain-password -o oldpassword -p newpassword

Best answer by Quan_nong

Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy payload to do this rather then creating a script

View original
Did this topic help you find an answer to your question?

10 replies

Forum|alt.badge.img+5

Hope this helps. I do this where I am

#!/bin/sh

password="your_NewPassword"



/usr/bin/dscl . passwd /Users/ladmin "$password"

status=$?



if [ $status == 0 ]; then

echo "Password was changed successfully."

elif [ $status != 0 ]; then

echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."

fi



exit $status

Forum|alt.badge.img+5

For the keychain its a bit wonky

#!/bin/sh

sudo security set-keychain-password -o oldpassword -p newpassword /users/test/Library/Keychains/login.keychain

Forum|alt.badge.img+5

I use reference books when programming. I would buy this as it can help out

[https://www.amazon.com/Bash-Pocket-Reference-Power-Admins/dp/1491941596/ref=pd_bxgy_14_img_3?_encoding=UTF8&pd_rd_i=1491941596&pd_rd_r=PAXGK2FQESB2H0AKEH03&pd_rd_w=BSNgN&pd_rd_wg=XNJBS&psc=1&refRID=PAXGK2FQESB2H0AKEH03](link URL)


Forum|alt.badge.img+8
  • Contributor
  • 44 replies
  • Answer
  • March 6, 2018

Hi @angelofilho33 Is the admin account identical on all the machines? If so, you could use a policy payload to do this rather then creating a script


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 5 replies
  • June 6, 2018

Sorry for the delay to reply. I created a policy, the way Nong did and everything went well. Thanks Nong. Thanks Glover


Giannini
Forum|alt.badge.img+3
  • New Contributor
  • 9 replies
  • February 3, 2020

Hi Christopher i tried out your shell script manually and it works on the bassis that you enter the old password. how can this be deployed across many machines via jamf


jamiesmithJAX
Forum|alt.badge.img+9

I've got the same question as @Giannini is there a way to use this via JAMF? Works great when run manually but it fails when run via JAMF trying to enter the old password


Forum|alt.badge.img+12
  • Valued Contributor
  • 359 replies
  • November 9, 2020

Putting the admin password in a script does not sound like a good idea.


Forum|alt.badge.img+2
  • New Contributor
  • 1 reply
  • February 3, 2021

I am able to get the policy to work for High Sierra OS but not for Big Sur OS. Does anyone know if there is a difference with Big Sur?


Forum|alt.badge.img+2
  • New Contributor
  • 3 replies
  • March 20, 2021

@IreneGarcia - you may want to check out the post Posted: 12/6/2018 at 9:46 AM CST by LovelessinSEA in https://www.jamf.com/jamf-nation/discussions/30317/resetting-local-account-password-via-policy-is-sporadically-failing

For the reason mentioned in that post we can't use the policy to change our account password. I'm using an adaptation of ChristopherGlover's script, but had to add in a bit for the old password to get it to work. Also I strongly suggest encrypting any passwords in scripts with a salted passphrase So it ends up something like

#!/bin/bash
#set Parameter 4 as the username
#set Parameter 5 as your old password encrypted string
#set Parameter 6 as your new password encrypted string
oldpwsalt="<value of salt>"
newpwsalt="<value of salt>"
oldpassphrase="<value of passphrase>"
newpassphrase="<value of passphrase>"
/usr/bin/dscl . passwd /Users/$4 "$(echo "${5}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$oldpwsalt" -k "$oldpassphrase")" "$(echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$newpwsalt" -k "$newpassphrase")"
status=$?
if [ $status == 0 ]; then
     echo "Password was changed successfully."
elif [ $status != 0 ]; then
     echo "An error was encountered while attempting to change the password. /usr/bin/dscl exited $status."
fi
exit $status

To get all those values for the script above you have to run something like below where "password" old password and then run it again with the new password.

PASSWORD='password'
SALT=$(openssl rand -hex 8)
K=$(openssl rand -hex 12)
ENCRYPTED=$(echo "${PASSWORD}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings