Change Password on Local User Account Through Apple Remote Desktop

Disclaimer:  I assume no responsibility or liability for any actions resulting in the use of the following information.  I have tested this and it works great for me, so I feel confident it will work for you.  That said, do so at your own risk.

We’re preparing to manage all of our Macintosh clients at work at the start of next school year.  This was never implemented in the past for various reasons (personnel, funding, technology, etc), but since I was hired last December, I’ve made it my Grail quest.

A brief paragraph on our setup:  We have an Active Directory (AD) domain where all our user accounts and passwords live, and which handles authentication.  I’m running my own Open Directory (OD) domain on an 8-Core Intel Xeon beast of an Xserve for managed settings, file sharing, home folders, etc.  We’ve achieved single sign by binding the Macs to AD, and then passing off management to OD user/group/machine settings.

This is great, but it all relies on a working network connection.  Without one, there’s no access to the machine since it won’t be able to authenticate credentials.  I also have an older G4 Xserve configured as an OD replica in case anything happens to the Intel Xserve, the G4 will take over its role until it is back online.  But what if something happens to both Xserves or worse, or our network infrastructure?  I want to build in a plan to let users have access to the local machine only when the network is unavailable, and until we get the network back.  (Ok, so that was two paragraphs on the setup, sorry!)

To achieve this, I created a managed user account on the local machine called “Local” as part of my image.  The account is configured how I’d like it, as a shared environment for temporary use.  OS X Login WindowI’ve set the login window preferences for each Mac in Workgroup Manager to only show blank fields for username and password, not a list of available user accounts.  This is so users won’t even know the account exists until disaster strikes and they’re told to use it.

In the event of network outage, we’ll verbally spread the word (it’s not a big campus) that you can log in with the username “Local” and the password “temporary” and use the programs on the computer, without a network connection.

The problem is that after network services are restored, there’s nothing to stop users (especially students) from continuing to use that account and bypassing the need to login as themselves.  OS X Leopard has a built in Guest account feature, but that won’t work since there’s no way that I’m aware of to turn it on remotely without walking to each machine and enabling it.

To solve this problem, we’ll change the password on that “Local” account as soon as our network is restored, but how to do this when it’s a local account, and not managed from the server?

The answer is ingeniously simple.

If you don’t know by now, Apple Remote Desktop (ARD) is an absolute gem for a Mac admin.  Using ARD, we can send unix commands to all of our machines, and in this case in particular, the passwd command.  Select all the Macs on your network, and select Manage>Send Unix Command.  Enter the following command, all on one line:

dscl . -passwd /Users/USERNAME OLDPASSWORD NEWPASSWORD

Change USERNAME to the short name of your local account (in my case, Local), and obviously OLDPASSWORD is the old password, and NEWPASSWORD is the new password for your local account.  Make sure you run the command as the root user, and check the box to display all output to watch for errors.

The Command Being Pushed Through ARD

If all goes well, this runs in the background transparent to the user.  They can no longer use the password “temporary” to login as “Local” and are forced to once again use their network credentials.  The next time network outage occurs, tell them to login as “Local” with whatever new password you created in the terminal command above.  This works proactively and is already implemented and ready to use next time it is necessary.

What’s more, if you’re running an ARD task server on your Xserve, any clients who were offline when you sent the unix command will get it when they come back online.

Mike Bombich's Refresh Default Home Directory Script

As a extra bonus, I’m running this script from Mike Bombich (the man is a god) at login, to automatically restore my Local account to it’s pristine settings, erasing any files and settings users have left behind while working locally so the next user will have a fresh, clean experience.

Please feel free to leave a comment if you have any questions or if you use this and find it helpful.

UPDATE:  If either your current password or your new password is blank, just use two single quotation marks to represent that.

About the Author: acletras

acletras is the sole author of this blog. He creates and writes all content here, in addition to maintaining the site. Check out the About page for more info, or use the Contact page to drop him a line.

13 Comments

  1. Reply Adil

    Have a quick question, I have been trying to change the old password that is blank to a new one, but it comes with an error 10. Here is the command I am using:

    dscl . -passwd /Users/account ” newpassword

    I have tried it with quotes, no quotes, etc and it simply does not take it. I did use the user as root as you have suggested. FYI, my root account does have a password, and when I select users, I have simply NO idea where to enter my root password. Please advise, I would certainly appreciate a prompt response, Thanks!

  2. Reply acletras

    Did you copy and paste your command into this comment? If so, it looks like you’ve got one double quote, and not two single quotes. In other words, did you hold shift and press the quotation key, or did you just press the key by itself?

    You should just be pressing the key twice, without the shift key at all. In other words, just use two apostrophes.

  3. Reply acletras

    Also, as far as I can tell using this command does not require a password. I tried it as root and as a local admin user and each time it executed successfully. This probably doesn’t help your error 10 issue, but Apple is notoriously non-descriptive in it’s error messages (especially the dreaded error -36).

  4. Reply Sean

    Hi, as far as I can see, there in no need to type the old password as you would be executing the command as root.

    passwd localaccount
    password
    password

  5. Reply Les

    Hi there, I have a quick question about one thing you mentioned in this very helpful suggestion (thanks for that first). In your first 2 paragraphs, you talked about passing off management of client machines to OD from AD. I am trying to do the same thing and was wondering if you might have a description of how you did that. You can email that to me if you would like.
    Thanks in advance.
    Cheers

  6. Reply jazzmanx33

    Just stumbled across this in searching for a way to remotely change passwords via ARD, and your solution seems great. I also would like a brief description on how you set up managed prefs using the OD server, as I am running into some odd issues when trying to do the same here. I’m dealing with about 24 managed macs here at our facility.

    Thanks for the help.

  7. Reply ForestKev

    OK, I’m getting an error message trying to send this command via ARD. I’m sending this –
    dscl . -passwd /Users/Student ” newpassword

    and I’m getting this –
    DS Error: -14090 (eDSAuthFailed)
    passwd: DS Error: eDSAuthFailed

    I have the root account disabled on the machines I’m trying to send the command to, is that a factor?

    • Reply acletras

      Try to copy and paste this:

      dscl . -passwd /Users/Student ” NEWPASSWORD

      Obviously, replace NEWPASSWORD with whatever you like. It looks like you may have used the quotation mark instead of two apostrophes (my fault, I need to update the post to be more clear), but it could also be related to the root account being disabled. I’ll disable it on one of my test machines and give it a shot and will post the results.

      Have you tried entering the user name of a local administrator account in the “run as user:” box?

  8. Reply ForestKev

    Ok, I tested this on a macbook after enabling the root account. I had to do that manually, though, all the research I found with the dsenableroot command just gave me the message that it failed to enable root. Anyway, after enabling root and running the same command I ran before, I received a message that it was successful. So I attempted to logon to the test machine with my new student password, and it doesn’t work. Something happened, because the blank password doesn’t work either. I have checked the typing of the password 50 times, I know it’s correct, but I cannot login. I tried rebooting the machine, shutting it down completely, logging in as admin and back out, but none of that works to have the new password take effect. Any ideas? Oh, and my original command was two single quotations, that’s just the way it looks when you type it out here.

    • Reply acletras

      I haven’t had much luck with the dsenableroot command either. I’m not entirely sure what your issue could be, as I am able to successfully do this under 10.4.11, 10.5.8 and 10.6.7. I also can’t get it to give me the same error message you originally posted (even when I disable my root account, it still works). I’m trying to think if there’s anything special in my setup that I may have left out, but I can’t think of anything.

      If you’re locked out of that account, there’s always booting to the OS X installation disc and resetting the password there…

Leave a Reply