Deployed local accounts are requiring password change on first login

New Contributor III

I've got a policy that creates a local admin account on my managed hosts. Upon first login however it requires that the password is changed to login. This is causing problems when another admin goes in to login after the fact. I also have policy that says you can't use your last three passwords so the admins can't change the password back after login to the old password. Additional policy requires local accounts change their password after 180 days but the account isn't even that old so I wouldn't think that wouldn't be impacting things.

Has anyone ran into this and found a way around it? It is as if the account gets created with the require password change on first login flag. Need to get rid of that but not sure how.


Valued Contributor II

You're using pwpolicy locally on the Macs? You could try clearing the pwpolicy options before deploying the user:

/usr/bin/pwpolicy clearaccountpolicies

then respecifying them after the user is created. There's a user attribute that isn't set that makes the system think the password needs to be reset.

I've experienced something like that with OS upgrades - a user attribute gets wiped out and the first login after an OS upgrade requires the password reset. The above strategy was my workaround, since I ran out of time investigating it...

Contributor III

You can also try clearing policies for that one account with

/usr/bin/pwpolicy -u localadmin  clearaccountpolicies