Updating Local Administrator account with known existing password, dscl appears to do it all now?

New Contributor II

There are discussions dating back years on these forums outlining the headaches around both password setting as well as password changing for local administrator accounts. We've got the dscl -passwd approach, the sysadminctl -resetPasswordFor approach, some use the jamf binary...

We've had to dance with SecureToken limitations and messed up keychains, FileVault passwords not updating or staying in sync with an OS level passchange...

I was sitting here testing some methods for cycling a local administrator account's password (that has a secureToken enabled) and noticed that just performing a simple:

dscl . -passwd /Users/mylocaladmin <oldpassword> <newpassword>

not only updated the password within the OS, but also updated the filevault password AND updated the password on the keychain. I'm blown away. I remember jumping through hoops to get a successful and smooth change to all relevant areas of the user account. When did this change happen? Test machine is currently 10.15.6, but I'm tempted to wipe and try earlier OSes to find when it was introduced.

When cycling a known existing password on a local, secureToken enabled administrator account, what approach do you all do?

sysadminctl -resetPasswordFor?
jamf ChangePassword?
Combination of dscl, security set-keychain-password, and fdesetup remove/add?

EDIT: the dscl method works on a 10.14.6 machine I had laying around too, so its at least as early as that.


New Contributor

glopez1, has this finding continued to hold up for you? I'm reading thru this forum today to address this very problem and would love it if it's solved with a one liner!

New Contributor

The blog was absolutely fantastic! Lot of great information which can be helpful in some or the other way. Keep updating the blog, looking forward for more contents…Great job, keep it up