Skip to main content
Question

How to change local admin password AND Keychain password?

  • November 5, 2019
  • 8 replies
  • 83 views
R
Forum|alt.badge.img+7

Hi,
I'd like to change the local admin password on our MacBooks in Jamf. I'm looking at the Policy Local Accounts -> Reset Account Password and it reads, "Set a new account password. This does not update the account's login keychain password or FileVault 2 password."

What options do I have to change the local account password and Keychain password? Do I have to do these separately? Or should I just give my users some instructions to update the keychain password?

Or is there a different workflow I should be thinking about?

    8 replies

    T
    Forum|alt.badge.img+7
    • teodle
    • Valued Contributor
    • November 6, 2019

    If you're using a local admin account only as a way to give your users privilege escalation (without their regular account being in the 501 admin group), then who cares about keychain? If they do actually log into the console as local admin, they'll get a prompt to either update or create new keychain and just tell them to always create new.

    S
    Forum|alt.badge.img+15
    • sshort
    • Valued Contributor
    • November 6, 2019

    If you create a policy that uses sysadminctl to change the password it will always create a new keychain. So if that's acceptable for your use case then you wouldn't have to worry about dealing with an out-of-sync keychain.

    Here's an example I made with an interactive element, however you can trash that part and just hardcode whatever new password you want using a variable in your script. The base command is sysadminctl -adminUser adminUserHere -adminPassword adminPasswordHere -resetPasswordFor userToBeResetHere -newPassword newUserPasswordHere

    markopolo
    I
    gvitoro
    A
    Forum|alt.badge.img+16
    • AdamCraig
    • Valued Contributor
    • November 6, 2019

    I've created a script which will fix these keychain issues after the fact for effected users:
    https://www.jamf.com/jamf-nation/discussions/33601/update-keychain-password-script

    M
    R
    Forum|alt.badge.img+7
    • ralvarezOES
    • Author
    • Contributor
    • November 7, 2019

    Thanks for all the reply. I'll test them today and post back how it turned out.

    B
    Forum|alt.badge.img+4

    Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account.

    How did you accomplish this task?

    markopolo
    Forum|alt.badge.img+9
    • markopolo
    • Contributor
    • July 24, 2020
    Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account. How did you accomplish this task?

    Would love to get an answer on this as well. Need to set new password for the local admin account (IT use only) and also update the FileVault 2 password. Is there an easy terminal command I can set to run after the "Local Accounts" payload?

    T
    K
    A
    • Anonymous
    • August 10, 2020

    here are the script that change admin password:

    !/bin/bash

    UPDATE KEYCHAIN PASSWORD

    username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
    loggedInUID=$(id -u "$username")

    Find the renamed keychains

    renamed=""

    for n in {1..9} ; do long="Users/$username/Library/Keychains/login_renamed_$n.keychain-db" short="login_renamed_$n.keychain-db" echo "$long" if [[ ! -f $long ]] ; then echo "Above Keychain not Found" else renamed="$long" short_renamed="$short" echo "renamed set to Above Keychain" fi
    done

    If the rename keychain isn't found then exit

    if [[ -z "$renamed" ]] ; then echo "Renamed keychain not found." dialog="Old keychain not found." cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 1
    fi

    renamed=`echo ${renamed%???}`

    Prompt use for current password

    currentPass=$(/usr/bin/osascript<<END
    tell application "System Events"
    activate
    set the answer to text returned of (display dialog "Please enter your Current account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
    end tell
    END)

    previousPass=$(/usr/bin/osascript<<END
    tell application "System Events"
    activate
    set the answer to text returned of (display dialog "Please enter your Previous account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
    end tell
    END)

    Open the keychain to load it into keychain access

    open "$renamed" &

    sleep 2

    close keychain access

    killall Keychain Access

    unlock the previous keychain

    unlock_result=`expect -c "
    spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain $short_renamed
    expect "password to unlock $renamed"
    send ${previousPass}
    expect"`

    if [[ "$unlock_result" == "The user name or passphrase you entered is not correct." ]] ; then echo "Previous Password did not unlock keychain" dialog="Previous Account password did not unlock the old keychain." cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 1
    fi

    If it gets this far the Previous Password is correct

    change the password to the previous keychain

    expect -c "
    spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security set-keychain-password $short_renamed
    expect "Old Password:"
    send ${previousPass}
    expect "New Password:"
    send ${currentPass}
    expect "Retype New Password:"
    send ${currentPass}
    expect"

    Make a keychain archive on the users desktop

    mkdir /Users/$username/Desktop/Keychain Archive

    move the login keychain to the archive

    mv /Users/$username/Library/Keychains/login.keychain-db /Users/$username/Desktop/Keychain Archive/login.keychain-db

    copy the renamed keychain to the archive

    cp /Users/$username/Library/Keychains/$short_renamed /Users/$username/Desktop/Keychain Archive/$short_renamed

    wipe current keychain list

    /bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s none

    rename the renamed keychain to login

    mv $renamed /Users/$username/Library/Keychains/login.keychain-db

    add the login keychain to the list.

    /bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s login.keychain-db

    unlock keychain

    expect -c "
    spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain login.keychain-db
    expect "password to unlock $renamed"
    send ${currentPass}
    expect"

    set that keychain to the default keychain

    result=$(/bin/launchctl asuser "$loggedInUID" sudo -iu "$username" security default-keychain -s "login.keychain-db")
    if [[ -z $result ]] ; then dialog="Updating Old Keychain is complete. Recommended to verify keychain looks correct then reboot the computer"
    else echo "$result" dialog="$result"
    fi
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"

    exit 0

    A
    Forum|alt.badge.img+16
    • AdamCraig
    • Valued Contributor
    • August 17, 2020

    @DevidDecosta Here is that script on my github lhttps://github.com/theadamcraig/jamf-scripts/blob/master/Update_keychain_password_v4.sh

    This script doesn't update the password, it fixed the keychain issues after the password has been updated if the keychain password is not synced with the login password. (it specifically looks for a renamed keychain. so your keychain needs to break BEFORE that can fix it.)

    I've made some updates to it as well to resolve a few edge case issues.

    Terms & ConditionsCookie settingsAccessibility statement