Jamf Nation Community

sunny_marie · ‎07-21-2014

We're currently moving our users from managed mobile OD accounts to local user accounts, but we're running into some issues. We wrote a script to create the account and set essential attributes with dscl, and while the script doesn't return errors, the newly minted users cannot change their passwords. Instead they receive an error stating that their systems administrator may not allow them to change their password.

It should be noted that we're not converting existing accounts, rather we are creating new local accounts for each user when they get a new computer. However, the UID for the account is being set to match the user's old OD UID and the real name/short name will stay the same as well. The new computers are not bound to OD, so there shouldn't be any confusion.

Lastly, enabling Parental Controls on the account allows the user to change their password and I've noticed there are others here who have run into the same issue/work around, but I'd love a cleaner solution. Thanks in advance!

Edit: I need to redact my previous statement that enabling Parental Controls allows a password change. This is not in fact the case. What actually allows the PW change is unlocking the pref pane. If the pref pane is locked the user cannot change their password.

mike_paul · ‎07-21-2014

Something that I ran into in the past was that 10.7 and above require the attribute "dsAttrTypeNative:_writers_passwd:username" to be able to change passwords.

If you do a 'dscl . read /users/username' do you see that attribute?

I saw similar behaviors that if you unlocked the preference pane you were able to change the password without that attribute.

sunny_marie · ‎07-22-2014

Hi Mike,

So I tried adding that to the script, but I'm getting the same error. One thing I neglected to mention is that we're trying to deploy this via Casper Remote using the script option fields. There's a distinct possibility that my syntax for the writers attributes isn't right. I can't find a whole lot of documentation on that. the script it pasted below.

# Casper remote Mapping # $4 = Shortname
# $5 = First
# $6 = Last
# $7 = UID
# $8 = Password
# ${10} = #
#
fullname=$5" "$6

# Create a new entry for the user under /Users:
dscl . create /Users/$4

# Create and set the shell property to bash:
dscl . create /Users/$4 UserShell /bin/bash

# Set the user’s full name:
dscl . create /Users/$4 RealName "$fullname"

# Create and set a unique ID for the user. Pick whatever works for you here, ensuring that it hasn’t been used by previous users:
dscl . create /Users/$4 UniqueID $7

# Create and set the user’s group ID property:
dscl . create /Users/$4 PrimaryGroupID 20

# Set the user’s home directory by running the following command. Ensure that you replace both instances of the shortname in the command below:
dscl . create /Users/$4 NFSHomeDirectory /Users/$4

# Set their password. # Here, you’ll replace “PASSWORD” with the actual password that will be used initially for their account.
dscl . passwd /Users/$4 $8

# Set Writers Attributes
dscl . create /Users/$4 dsAttrTypeNative:_writers_hint: default
dscl . create /Users/$4 dsAttrTypeNative:_writers_LinkedIdentity: $4
dscl . create /Users/$4 dsAttrTypeNative:_writers_passwd: $8
dscl . create /Users/$4 dsAttrTypeNative:_writers_realname: $4

Jamf Nation Community

Standard users created with dscl cannot change their passwords.