Resetting an Admin Password periodically on Local Users

igal_tovievich
New Contributor II

Hey folks,

We want to reset passwords to admin accounts periodically (on many computers with the same admin username), and for this purpose, thinking of something along the lines of:

  1. Creating an extension attribute that pulls the creation or modification date of a log-file created at /var/log for users.
  2. Creating a smartgroup that includes all users that have a date before today (for an example).
  3. Use a policy that changes the password for these accounts and runs on all computers in the mentioned smartgroup.

Currently, the extension attribute "concept" is:

!/bin/sh

result=grep ("$(date)" /var/log/passwordresetdate.log)
[[OR stat -c stat -c '%w' MyFileName, but this is currently not working]]

echo "<result>$result</result>"

The end result should be a policy that does this once in X time, and afterwards all the admin users with this username on all designated computers will have a new password. This will keep running on computers until they all have the new password (and due to this I figured we need

Will appreciate any input on how to make this process better, and if it is possible to pull the creation date from a file created (I'll use touch to create the file after the policy runs the password reset using a trigger that will run on another policy) for this purpose!

3 REPLIES 3

kburns
New Contributor III

I would suggest taking a look at this https://github.com/NU-ITS/LAPSforMac

We used this (and adapted slightly) to randomize a local admin password on our machines. We previously used the LAPS utility created by Joshua Miller, but since moving away from binding our devices from AD, we had to find a different solution and this fit our needs.

igal_tovievich
New Contributor II

I will check out LAPS, and would also appreciate possible alternatives. Can anyone recommend a script or a way to use sysadminctl in Catalina and Mojave to reset password X to password Y for an admin user?

francksartori
New Contributor II

You may also test EasyLAPS. I'm the author of this tool which is designed to regularly rotate the local administrator account password of a Mac and store it in a MDM like Jamf Pro or Jamf School.