Local Admin Password Change - Check existing Password?

Hi,

I'm running a very basic script, which works, to change the local admin password on all our Macs. But, I want to know how to check if the currentPwd already matches the newPwd, and if so then it must exit.

How do I do that?

if [ currentPwd == newPwd ] then



echo 'password is correct'

else



#change account password



fi

Thank you to @adolfsson for the initial idea:

The Script below works but as you can see its not very 'clever'

Script:

currentPassword="$4"

newPassword="$5"

accountName="$6"



adminUser="remoteadmin"



#Check that we are changing ONLY for remoteadmin

if [ "$adminUser" == "${accountName}" ]

    then 

        #Change management account locally on mac

        sudo dscl . passwd /Users/"${accountName}" "${currentPassword}" "${newPassword}"



        echo " Local Admin Account - Password changed! "



        #Report management account password back to JSS

        sudo jamf recon -sshUsername remoteadmin -sshPassword "${newPassword}"



        echo " Local Management Account - password passed to JSS! "

    else

        echo " You are trying to change the wrong account. No Changes! "

fi

Page 1 / 1

#!/bin/sh

dscl /Local/Default -authonly "${loggedInUser}" "${userpassword}" 2>&1 /dev/null

if [ "$?" != "0" ]; then

    echo "Login incorrect"

fi

If it works, it's the new password. if it doesn't. Then it's the old. Or vice versa check the other way.

@boberito thanks, newb question: What is this testing?

if [ "$?" != "0" ]

$? will give you the exit code of a command. If it equals 0, it exited successfully.

Sometimes programs or scripts will do a different exit code so you know sort of why it failed. A good example or sort of explanation is if you run jamfHelper "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -help" At the bottom of the help it says...

Return Values: The JAMF Helper will print the following return values to stdout...
0 - Button 1 was clicked
1 - The Jamf Helper was unable to launch
2 - Button 2 was clicked
XX1 - Button 1 was clicked with a value of XX seconds selected in the drop-down
XX2 - Button 2 was clicked with a value of XX seconds selected in the drop-down
239 - The exit button was clicked
243 - The window timed-out with no buttons on the screen
250 - Bad "-windowType"
255 - No "-windowType"

So different exit codes based off different results.

Basically in the small script example I initially posted, if login succeeds the exit code is 0. If it doesn't, it's something else but we dont care what it is, we just care that it wasn't 0.

Hopefully that all makes sense.

@boberito thanks that perfect. This worked and will help me with a few other things too. Thanks

You can strip down the true/false check in boberito's solution even further, like so:

#!/bin/sh

if dscl /Local/Default authonly "${loggedInUser}" "${userpassword}" ; then

    echo "Valid Login"

fi

Or if you want to test for an invalid login, add an ! in there:

#!/bin/sh

if ! dscl /Local/Default authonly "${loggedInUser}" "${userpassword}" ; then

    echo "Invalid Login"

fi

If you omit the [ ] and run a command as part of the if, it will evaluate true if the error state is 0 (success) and false for any non-zero error state.

The downside (if you care) of this method is that it does still echo the error if the password is wrong.

How was your local admin account provisioned?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded