Help

Standard users created with dscl cannot change their passwords.

sunny_marie
New Contributor

Posted on β€Ž07-21-2014 12:27 PM

We're currently moving our users from managed mobile OD accounts to local user accounts, but we're running into some issues. We wrote a script to create the account and set essential attributes with dscl, and while the script doesn't return errors, the newly minted users cannot change their passwords. Instead they receive an error stating that their systems administrator may not allow them to change their password.

It should be noted that we're not converting existing accounts, rather we are creating new local accounts for each user when they get a new computer. However, the UID for the account is being set to match the user's old OD UID and the real name/short name will stay the same as well. The new computers are not bound to OD, so there shouldn't be any confusion.

Lastly, enabling Parental Controls on the account allows the user to change their password and I've noticed there are others here who have run into the same issue/work around, but I'd love a cleaner solution. Thanks in advance!

Edit: I need to redact my previous statement that enabling Parental Controls allows a password change. This is not in fact the case. What actually allows the PW change is unlocking the pref pane. If the pref pane is locked the user cannot change their password.

0 Kudos
2 REPLIES 2

mike_paul
Contributor III
Contributor III

Posted on β€Ž07-21-2014 02:48 PM

Something that I ran into in the past was that 10.7 and above require the attribute "dsAttrTypeNative:_writers_passwd:username" to be able to change passwords.

If you do a 'dscl . read /users/username' do you see that attribute?

I saw similar behaviors that if you unlocked the preference pane you were able to change the password without that attribute.

0 Kudos

sunny_marie
New Contributor

Posted on β€Ž07-22-2014 07:10 AM

Hi Mike,

So I tried adding that to the script, but I'm getting the same error. One thing I neglected to mention is that we're trying to deploy this via Casper Remote using the script option fields. There's a distinct possibility that my syntax for the writers attributes isn't right. I can't find a whole lot of documentation on that. the script it pasted below.

# Casper remote Mapping # $4 = Shortname
# $5 = First
# $6 = Last
# $7 = UID
# $8 = Password
# ${10} = #
#
fullname=$5" "$6

# Create a new entry for the user under /Users:
dscl . create /Users/$4

# Create and set the shell property to bash:
dscl . create /Users/$4 UserShell /bin/bash

# Set the user’s full name:
dscl . create /Users/$4 RealName "$fullname"

# Create and set a unique ID for the user. Pick whatever works for you here, ensuring that it hasn’t been used by previous users:
dscl . create /Users/$4 UniqueID $7

# Create and set the user’s group ID property:
dscl . create /Users/$4 PrimaryGroupID 20

# Set the user’s home directory by running the following command. Ensure that you replace both instances of the shortname in the command below:
dscl . create /Users/$4 NFSHomeDirectory /Users/$4

# Set their password. # Here, you’ll replace β€œPASSWORD” with the actual password that will be used initially for their account.
dscl . passwd /Users/$4 $8

# Set Writers Attributes
dscl . create /Users/$4 dsAttrTypeNative:_writers_hint: default
dscl . create /Users/$4 dsAttrTypeNative:_writers_LinkedIdentity: $4
dscl . create /Users/$4 dsAttrTypeNative:_writers_passwd: $8
dscl . create /Users/$4 dsAttrTypeNative:_writers_realname: $4

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.