enable root account via casper policy?

tlarkin
Honored Contributor

So,

Well I thought it would be a good idea to not enable the root account since there was no practical or real use for it. Now, there is a practical use for it, mainly with students (since I am in edu) and AUP violations. Is there a way to enable it remotely, say through a casper policy?

It looks as if I use the dscl command and put a password on the root account it will enable it next reboot? Has anyone tried this? If I do a dscl . list /Users it will list that the root account is there but it is not enabled in my main image.

I think if I put a password on the account it would be accessible. Has anyone done anything like this before?

Thanks,

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351

8 REPLIES 8

tlarkin
Honored Contributor

Well my Google-Fu sucks, because I didn't come up with the answer, but Cam emailed me the proper command and it works

/usr/sbin/dsenableroot -u local_admin -p local_admin_pw -r root_password

Of course fill in the blanks and that is how you enable the root account.

just FYI for anyone who was curious.

Thx

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351

dexterrivera
New Contributor III

Glad I found this. I created a script with the following syntax and applied to my machines via policy. Of course those aren't the actual passwords, or maybe they are :). Oh, and found out that if you have a password that has a $ in it you need to surround it with double quotes like this AdminPass="pa""$""$""word"

#!/bin/bash

AdminPass="password"
RootPass="password"

/usr/sbin/dsenableroot -u administrator -p $AdminPass -r $RootPass

Aaron
Contributor II

Oh this is awesome, thanks for this. Yet another step I can set by policy and not worry about anymore.

andysemak
Contributor

Really useful.

Thanks.

tlarkin
Honored Contributor

Hi Everyone,

I just wanted to chime in and give a bit of a back story to this. I worked in EDU, and per policy, we had to enable a way for School Administrators to gain full access to a system. This was the method we used. I, actually do not recommend enabling the root user, but considering my environment and the requirements set by management that is what I did.

We had a script that we could run via ARD or Casper Remote when someone requested full access to a Mac laptop. My actual script actually redirected all output to /dev/null and passwords were passed via parameters. I honestly do not recommend enabling the root account for security reasons, but I understand that in a situation like I was in, I had no choice.

Just wanted to add that bit in.

Cheers,
Tom

stephaniemm77
Contributor II

This script no longer seems to work in Mojave any idea why? Thanks

cyberspread_71
New Contributor III

Anyone know why it isn't working in Mojave? Its very helpful to us to have the root account active as a last resort when we can't get into the AD or local admin accounts.

seann
Contributor

May be due to Apple's increasingly stringent security. At this point it's probably more advisable to have a completely separate jamf management account with a randomized password that can be used to re-establish another local account if you lose interactive access.