Need to update local admin password

Contributor III

Hello all! Management has decided that it is time that we update our password that we use for our admin accounts on our fleet of computers. I currently have things set to have that account created during prestage enrollment. It's easy enough to update the password there for all new computers, but how do I go about updating the computers that are already in the wild? To possibly make this even more difficult, I have multiple different OS's out there (been trying to get people to update their OS when I tell them, but 90% don't read IT emails...)




New Contributor III

This is one way of doing it but it makes my stomach ache a little bit. To have the passwords in cleartext inside a script

/usr/bin/dscl . -passwd /Users/username newpassword
/usr/bin/security set-keychain-password -o oldpassword -p newpassword /Users/username/Library/Keychains/login.keychain


This will be my fallback if the idea below doesn't work.

Legendary Contributor III

Is this admin account enabled for FileVault as well or is it just a local admin account, no FileVault for it? 
If the situation is the latter, you can use a policy in Jamf Pro to reset an account password. I think it’s under the Accounts payload if I’m not mistaken. It should work. But that accounts keychain will become unusable if you need to log into it on any of those Macs. So the login.keychain would need to be deleted to fix that. 

if the account is in the FileVault enabled users list, well, then things are a bit trickier. You could still update the account password using the policy payload mentioned above but the FileVault password will not get updated that way. Meaning if you have to log into that account at the FV2 login screen, it’s going to want the old password. 

It's just a local admin password. I haven't started to use FileVault as of yet, that is my next big hurdle to deal with.

I will look into the Accounts payload to see if there is something there. I have a script that I use for folks that mess up things when they change their account passwords (I am stuck in an AD environment, they won't let me not bind to AD) and I can attach that script to the payload for the password change. I will report back if that works.

New Contributor II

Yea I was wondering this as well. I was hoping for a solution like LAPS