local account password reset

pinsent
New Contributor III

I have no doubt that this has been discussed before but I can't seem to find any discussions relevant to my scenario.

In the event that a user locks themselves out from their machine, how can I push a policy to reset the local account password or even create a new account when the user is unable to login and the administrator is unable to get hands on the machine?

6 REPLIES 6

AdamCraig
Contributor III

If the computer is filevault encrypted and has been rebooted then you can't because it needs to be unencrypted to get online.

Otherwise you could push a temporary account and later remove it using the local accounts provision

4dc634d8c7b84ca7baa0267b08e47d70

To avoid the filevault issue I pushed "rescue" accounts with randomized unique passwords to every computer when everyone went remote.

pinsent
New Contributor III

This is exactly what I ended up doing. We have admin accounts with super secret passwords but to hand that out defeats the whole "super secret" thing.

Thanks for taking the time to reply

emilshouse
New Contributor II

@strayer Can you please elaborate on how you created the "rescue" accounts? I am particularly interested in how you were able to create the randomized unique passwords for each computer (Were you able to automate this process?).

AdamCraig
Contributor III

@emilshouse Everything is automated, there is a setup, and three policies:
SETUP:
A policy installs pass_phrase.py and 3 .txt files to that are random word lists. I put it into /Library/Application Support/COMPANYNAME/passphrase https://github.com/theadamcraig/jamf-scripts/blob/master/pass_phrase.py

There are two extension attributes. One as a text, and the other to read a local file incase the script doesn't use the API successfully. I've included screenshots of both of those.
be0268eee8cd4c61af22cb0a3981152d

96aaa760c0304b9d86881ed06e6a6038

There is are 3 policies:
One creates the account with a temp password and changes the password. It is scoped to all computers with no rescue account on them.
One changes the password. It is scoped to computers where both extension attributes are blank.

One grabs the password from the -local file and uploads it using the API and deletes it. It is scoped to computers where the RescuePassword-Local is not blank, but the RescuePassword is blank.

This also means that once the RescuePassword is used you can delete the text extension attribute and the password will reset itself.

Here are the other two scripts: https://github.com/theadamcraig/jamf-scripts/blob/master/rescue_account_cleanup
https://github.com/theadamcraig/jamf-scripts/blob/master/Rescue_Account_Password_Change

My Disclaimer: I did not write most of these scripts. I did some major changes to the Rescue Account Password Change scripts, but i linked the github where I found the original script in the comments of it on github.

12a81e8e7bd84c3f89d6d7e66e2887a5

1eee49f6871d449b86f786b3b45bee47

That's a good overview of how it works. Since my entire company is remote it's been pretty successful.

sateshb
New Contributor III

Take a look at LAPSforMac, you can create a local admin account, routinely update its password and even make the password available to support in the form of device inventory.

mwu1876
Contributor

Does it work with Big Sur? It looks like it hasn't been updated in years.