local account password reset

New Contributor III

I have no doubt that this has been discussed before but I can't seem to find any discussions relevant to my scenario.

In the event that a user locks themselves out from their machine, how can I push a policy to reset the local account password or even create a new account when the user is unable to login and the administrator is unable to get hands on the machine?


Contributor III

If the computer is filevault encrypted and has been rebooted then you can't because it needs to be unencrypted to get online.

Otherwise you could push a temporary account and later remove it using the local accounts provision


To avoid the filevault issue I pushed "rescue" accounts with randomized unique passwords to every computer when everyone went remote.

New Contributor III

This is exactly what I ended up doing. We have admin accounts with super secret passwords but to hand that out defeats the whole "super secret" thing.

Thanks for taking the time to reply

New Contributor II

@strayer Can you please elaborate on how you created the "rescue" accounts? I am particularly interested in how you were able to create the randomized unique passwords for each computer (Were you able to automate this process?).

Contributor III

@emilshouse Everything is automated, there is a setup, and three policies:
A policy installs pass_phrase.py and 3 .txt files to that are random word lists. I put it into /Library/Application Support/COMPANYNAME/passphrase https://github.com/theadamcraig/jamf-scripts/blob/master/pass_phrase.py

There are two extension attributes. One as a text, and the other to read a local file incase the script doesn't use the API successfully. I've included screenshots of both of those.


There is are 3 policies:
One creates the account with a temp password and changes the password. It is scoped to all computers with no rescue account on them.
One changes the password. It is scoped to computers where both extension attributes are blank.

One grabs the password from the -local file and uploads it using the API and deletes it. It is scoped to computers where the RescuePassword-Local is not blank, but the RescuePassword is blank.

This also means that once the RescuePassword is used you can delete the text extension attribute and the password will reset itself.

Here are the other two scripts: https://github.com/theadamcraig/jamf-scripts/blob/master/rescue_account_cleanup

My Disclaimer: I did not write most of these scripts. I did some major changes to the Rescue Account Password Change scripts, but i linked the github where I found the original script in the comments of it on github.



That's a good overview of how it works. Since my entire company is remote it's been pretty successful.

I've since rewritten the pass_phrase.py script into zsh to avoid Python dependencies since apple recently removed built in python.


but the process is the same

EDIT: Updated Link

where is pass_phrase.sh ? the link does not work anymore


I re-organized my github when I was talking at JNUC in the fall.

New Contributor II

I want to try it out, but it's so hard. Can you take a video of how to set it up?

You should probably start using Jamf built in Laps now


Though there is no GUI yet to view the password. Jamf said they are working on that

Adam Craig's data is currently impossible to implement, right?

New Contributor III

Take a look at LAPSforMac, you can create a local admin account, routinely update its password and even make the password available to support in the form of device inventory.


Does it work with Big Sur? It looks like it hasn't been updated in years.