Disclaimer: I assume no responsibility or liability for any actions resulting in the use of the following information. I have tested this and it works great for me, so I feel confident it will work for you. That said, do so at your own risk.
We’re preparing to manage all of our Macintosh clients at work at the start of next school year. This was never implemented in the past for various reasons (personnel, funding, technology, etc), but since I was hired last December, I’ve made it my Grail quest.
A brief paragraph on our setup: We have an Active Directory (AD) domain where all our user accounts and passwords live, and which handles authentication. I’m running my own Open Directory (OD) domain on an 8-Core Intel Xeon beast of an Xserve for managed settings, file sharing, home folders, etc. We’ve achieved single sign by binding the Macs to AD, and then passing off management to OD user/group/machine settings.
This is great, but it all relies on a working network connection. Without one, there’s no access to the machine since it won’t be able to authenticate credentials. I also have an older G4 Xserve configured as an OD replica in case anything happens to the Intel Xserve, the G4 will take over its role until it is back online. But what if something happens to both Xserves or worse, or our network infrastructure? I want to build in a plan to let users have access to the local machine only when the network is unavailable, and until we get the network back. (Ok, so that was two paragraphs on the setup, sorry!)
To achieve this, I created a managed user account on the local machine called “Local” as part of my image. The account is configured how I’d like it, as a shared environment for temporary use. I’ve set the login window preferences for each Mac in Workgroup Manager to only show blank fields for username and password, not a list of available user accounts. This is so users won’t even know the account exists until disaster strikes and they’re told to use it.
In the event of network outage, we’ll verbally spread the word (it’s not a big campus) that you can log in with the username “Local” and the password “temporary” and use the programs on the computer, without a network connection.
The problem is that after network services are restored, there’s nothing to stop users (especially students) from continuing to use that account and bypassing the need to login as themselves. OS X Leopard has a built in Guest account feature, but that won’t work since there’s no way that I’m aware of to turn it on remotely without walking to each machine and enabling it.
To solve this problem, we’ll change the password on that “Local” account as soon as our network is restored, but how to do this when it’s a local account, and not managed from the server?
The answer is ingeniously simple.
If you don’t know by now, Apple Remote Desktop (ARD) is an absolute gem for a Mac admin. Using ARD, we can send unix commands to all of our machines, and in this case in particular, the passwd command. Select all the Macs on your network, and select Manage>Send Unix Command. Enter the following command, all on one line:
dscl . -passwd /Users/USERNAME OLDPASSWORD NEWPASSWORD
Change USERNAME to the short name of your local account (in my case, Local), and obviously OLDPASSWORD is the old password, and NEWPASSWORD is the new password for your local account. Make sure you run the command as the root user, and check the box to display all output to watch for errors.
If all goes well, this runs in the background transparent to the user. They can no longer use the password “temporary” to login as “Local” and are forced to once again use their network credentials. The next time network outage occurs, tell them to login as “Local” with whatever new password you created in the terminal command above. This works proactively and is already implemented and ready to use next time it is necessary.
What’s more, if you’re running an ARD task server on your Xserve, any clients who were offline when you sent the unix command will get it when they come back online.
As a extra bonus, I’m running this script from Mike Bombich (the man is a god) at login, to automatically restore my Local account to it’s pristine settings, erasing any files and settings users have left behind while working locally so the next user will have a fresh, clean experience.
Please feel free to leave a comment if you have any questions or if you use this and find it helpful.
UPDATE: If either your current password or your new password is blank, just use two single quotation marks to represent that.
13 Comments