Change Local Admin Password via OD?

[dead2sin]

We use a generic local admin account on our images so that we can still get on them in case of network/domain issues. Is there a good way to change the local admin’s password using OD? I am trying to figure out a good way to swap out the password as we change them across the board.

If OD can’t do it, what is the best way to do this without having to issue a command over ARD?

Thanks,

Nate

[Greg Neagle]

1) ssh in and change the password.

2) If all the local admin accounts have the same GeneratedUID, push a new shadow hash file to /var/db/shadow/hash/

3) Write a script that normalizes the local admin account’s GeneratedUID for all machines, then #2.

4) Visit each machine in person and change the password manually.

[dead2sin]

[QUOTE][u]Quote by: gneagle[/u][p]1) ssh in and change the password.

2) If all the local admin accounts have the same GeneratedUID, push a new shadow hash file to /var/db/shadow/hash/

3) Write a script that normalizes the local admin account’s GeneratedUID for all machines, then #2.

4) Visit each machine in person and change the password manually.
[/p][/QUOTE]

I create my user accounts using InstaDMG + createUser, so I can set the GUID to be identical. Could I use OD to manage that shadowhash like I would a plist, or does it not handle that type of thing? Not being able to manage admin passwords like AD does is kind of a pain for us (we only have 400 macs, but doing it manually on all 400 is a huge pain).

Thanks,

Nate

[fatherzimfire]

Edited –
oops, didn’t see the without ARD bit.

FZ

[Greg Neagle]

“I create my user accounts using InstaDMG + createUser, so I can set the GUID to be identical. Could I use OD to manage that shadowhash like I would a plist, or does it not handle that type of thing?”

No, you can’t manage this using Open Directory. You’ll need to find another method to deliver changed versions of this file to all your machines. How do you install software on 400 Macs?

-Greg

[dead2sin]

[QUOTE][u]Quote by: gneagle[/u][p]”I create my user accounts using InstaDMG + createUser, so I can set the GUID to be identical. Could I use OD to manage that shadowhash like I would a plist, or does it not handle that type of thing?”

No, you can’t manage this using Open Directory. You’ll need to find another method to deliver changed versions of this file to all your machines. How do you install software on 400 Macs?

-Greg[/p][/QUOTE]

We generally don’t push software out, its preloaded on the image (all necessary software anyways). If we have to push something out, We would use ARD, but I really hate using it for that. ARD is wonderful for some things, but I don’t think it is the best choice for software management.

Hrmmm, if it can’t be done with OD, then that means I have even more of a business case for using Munki. It would be easy to make a package that delivers the shadow hash. I think I am slowly warming up to your strategy for management Greg 🙂 I’m too used to the Windows way of doing everything, so I try to emulate that in my Mac environment.

Thanks again guys.

Nate

[dead2sin]

This is what I came up with. I borrowed a few lines of bash script from the createUser.pkg that I use for InstaDMG (akinspe’s package). All you do is put this this as a postflight in a payload-less package, edit the adminUser variable to suit your needs and put a proper password_hash file into the Contents/Resources directory within the package. I’m going to test it a bit yet, but it seems to work alright using the method that Greg described. I figure this can be put into munki, then if the password needs to be updated, I can enumerate the package version so that it is an “update” for the original. Thanks again for the ideas Greg.

[code]
#!/bin/bash

#Set Variables
adminUser=adminusername
SCRIPT_DIR=”$1/Contents/Resources”

check_password()
{
if [ -f “${SCRIPT_DIR}/password_hash” ];
then
password_hash=`cat “${SCRIPT_DIR}/password_hash”`

else
echo “password_hash could not be found”
exit 1
fi
}

get_GUID()
{
GUID=$(dscl . -read /Users/$adminUser/ | awk ‘/GeneratedUID/ {print $2}’)
}

change_Password()
{
echo “$password_hash”>/var/db/shadow/hash/$GUID
/bin/chmod 600 /var/db/shadow/hash/$GUID
}

check_password
get_GUID
change_Password

[/code]

[tlarkin]

I assume you know the user’s short name? A simple send Unix command over ARD Admin should suffice. Run it as root.

[code]

dscl . passwd /Users/localadmin the_new_password
[/code]

[berrty]

That was such a cool solution for changing the Local Administrate Password and I was thrilled to see the choices we had other than via OD!! It was all totally new information for me and I tried it out and they are working perfectly!! Can really be free of having issues during a network/domain failure!!

[Author]

Posts