- Jamf Nation Community
- Products
- Jamf Pro
- Re: enable root account via casper policy?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
enable root account via casper policy?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2008 01:07 PM
So,
Well I thought it would be a good idea to not enable the root account since there was no practical or real use for it. Now, there is a practical use for it, mainly with students (since I am in edu) and AUP violations. Is there a way to enable it remotely, say through a casper policy?
It looks as if I use the dscl command and put a password on the root account it will enable it next reboot? Has anyone tried this? If I do a dscl . list /Users it will list that the root account is there but it is not enabled in my main image.
I think if I put a password on the account it would be accessible. Has anyone done anything like this before?
Thanks,
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2008 01:37 PM
Well my Google-Fu sucks, because I didn't come up with the answer, but Cam emailed me the proper command and it works
/usr/sbin/dsenableroot -u local_admin -p local_admin_pw -r root_password
Of course fill in the blanks and that is how you enable the root account.
just FYI for anyone who was curious.
Thx
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2013 04:44 PM
Glad I found this. I created a script with the following syntax and applied to my machines via policy. Of course those aren't the actual passwords, or maybe they are :). Oh, and found out that if you have a password that has a $ in it you need to surround it with double quotes like this AdminPass="pa""$""$""word"
#!/bin/bash
AdminPass="password"
RootPass="password"
/usr/sbin/dsenableroot -u administrator -p $AdminPass -r $RootPass
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2013 05:01 PM
Oh this is awesome, thanks for this. Yet another step I can set by policy and not worry about anymore.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2014 08:46 AM
Really useful.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2014 10:32 AM
Hi Everyone,
I just wanted to chime in and give a bit of a back story to this. I worked in EDU, and per policy, we had to enable a way for School Administrators to gain full access to a system. This was the method we used. I, actually do not recommend enabling the root user, but considering my environment and the requirements set by management that is what I did.
We had a script that we could run via ARD or Casper Remote when someone requested full access to a Mac laptop. My actual script actually redirected all output to /dev/null and passwords were passed via parameters. I honestly do not recommend enabling the root account for security reasons, but I understand that in a situation like I was in, I had no choice.
Just wanted to add that bit in.
Cheers,
Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2019 07:14 AM
This script no longer seems to work in Mojave any idea why? Thanks
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-29-2019 12:56 PM
Anyone know why it isn't working in Mojave? Its very helpful to us to have the root account active as a last resort when we can't get into the AD or local admin accounts.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-30-2019 06:04 AM
May be due to Apple's increasingly stringent security. At this point it's probably more advisable to have a completely separate jamf management account with a randomized password that can be used to re-establish another local account if you lose interactive access.
