Disclaimer: I assume no responsibility or liability for any actions resulting in the use of the following information. I have tested this and it works great for me, so I feel confident it will work for you. That said, do so at your own risk.
We’re preparing to manage all of our Macintosh clients at work at the start of next school year. This was never implemented in the past for various reasons (personnel, funding, technology, etc), but since I was hired last December, I’ve made it my Grail quest.
A brief paragraph on our setup: We have an Active Directory (AD) domain where all our user accounts and passwords live, and which handles authentication. I’m running my own Open Directory (OD) domain on an 8-Core Intel Xeon beast of an Xserve for managed settings, file sharing, home folders, etc. We’ve achieved single sign by binding the Macs to AD, and then passing off management to OD user/group/machine settings.
This is great, but it all relies on a working network connection. Without one, there’s no access to the machine since it won’t be able to authenticate credentials. I also have an older G4 Xserve configured as an OD replica in case anything happens to the Intel Xserve, the G4 will take over its role until it is back online. But what if something happens to both Xserves or worse, or our network infrastructure? I want to build in a plan to let users have access to the local machine only when the network is unavailable, and until we get the network back. (Ok, so that was two paragraphs on the setup, sorry!)
To achieve this, I created a managed user account on the local machine called “Local” as part of my image. The account is configured how I’d like it, as a shared environment for temporary use. 
I’ve set the login window preferences for each Mac in Workgroup Manager to only show blank fields for username and password, not a list of available user accounts. This is so users won’t even know the account exists until disaster strikes and they’re told to use it.
In the event of network outage, we’ll verbally spread the word (it’s not a big campus) that you can log in with the username “Local” and the password “temporary” and use the programs on the computer, without a network connection.
The problem is that after network services are restored, there’s nothing to stop users (especially students) from continuing to use that account and bypassing the need to login as themselves. OS X Leopard has a built in Guest account feature, but that won’t work since there’s no way that I’m aware of to turn it on remotely without walking to each machine and enabling it.
To solve this problem, we’ll change the password on that “Local” account as soon as our network is restored, but how to do this when it’s a local account, and not managed from the server?
The answer is ingeniously simple.
If you don’t know by now, Apple Remote Desktop (ARD) is an absolute gem for a Mac admin. Using ARD, we can send unix commands to all of our machines, and in this case in particular, the passwd command. Select all the Macs on your network, and select Manage>Send Unix Command. Enter the following command, all on one line:
dscl . -passwd /Users/USERNAME OLDPASSWORD NEWPASSWORD
Change USERNAME to the short name of your local account (in my case, Local), and obviously OLDPASSWORD is the old password, and NEWPASSWORD is the new password for your local account. Make sure you run the command as the root user, and check the box to display all output to watch for errors.
If all goes well, this runs in the background transparent to the user. They can no longer use the password “temporary” to login as “Local” and are forced to once again use their network credentials. The next time network outage occurs, tell them to login as “Local” with whatever new password you created in the terminal command above. This works proactively and is already implemented and ready to use next time it is necessary.
What’s more, if you’re running an ARD task server on your Xserve, any clients who were offline when you sent the unix command will get it when they come back online.
As a extra bonus, I’m running this script from Mike Bombich (the man is a god) at login, to automatically restore my Local account to it’s pristine settings, erasing any files and settings users have left behind while working locally so the next user will have a fresh, clean experience.
Please feel free to leave a comment if you have any questions or if you use this and find it helpful.
UPDATE: If either your current password or your new password is blank, just use two single quotation marks to represent that.
Have a quick question, I have been trying to change the old password that is blank to a new one, but it comes with an error 10. Here is the command I am using:
dscl . -passwd /Users/account ” newpassword
I have tried it with quotes, no quotes, etc and it simply does not take it. I did use the user as root as you have suggested. FYI, my root account does have a password, and when I select users, I have simply NO idea where to enter my root password. Please advise, I would certainly appreciate a prompt response, Thanks!
Did you copy and paste your command into this comment? If so, it looks like you’ve got one double quote, and not two single quotes. In other words, did you hold shift and press the quotation key, or did you just press the key by itself?
You should just be pressing the key twice, without the shift key at all. In other words, just use two apostrophes.
Also, as far as I can tell using this command does not require a password. I tried it as root and as a local admin user and each time it executed successfully. This probably doesn’t help your error 10 issue, but Apple is notoriously non-descriptive in it’s error messages (especially the dreaded error -36).
Hi, as far as I can see, there in no need to type the old password as you would be executing the command as root.
passwd localaccount
password
password