Script to change local admin account

I’m in the midst of designing a process for a College to manage our Macs as simply as possible. We’ll be using IEM BigFix for endpoint management, and I am attempting to put a lot of basic configuration tools into Applescripts so that our student workers will be able to click and go when configuring Macs, whether they are familiar with Macs or not.

I created this script this afternoon with the hope that I can turn this into something which can be distributed as an application through BigFix (or a modified version, saved as FixLets, another kind of technical issues, entirely) so that we can send out a change to the local admin user we put on all Macs.

Please critique whether this makes sense or not.

Also, these are not the actual names of the local admin, obviously, and eventually my buttons and feedback to the users will be far less sarcastic.


try
	set mens_sana to false
	repeat while mens_sana is false
		display dialog "Enter the new password for AppleAdminAccount " default answer "" with hidden answer
		set newPassword to text returned of result
		
		display dialog "Enter it one more time to validate that they are the same" default answer "" with hidden answer
		set nudePassword to text returned of result
		
		if newPassword = nudePassword then
			set mens_sana to true
		else
			display dialog "Tsk. Watch your typing.  Go for another lap?" with icon note buttons {"Go on “ I'll get it this time", "No more “ I suck"} default button 1
			if result = {button returned:"No more “ I suck"} then exit repeat
		end if
		
	end repeat
end try

-- now that the previous unpleasantness is behind us, we commence with the fun

try
	if newPassword = nudePassword then
		do shell script "dscl . -passwd /Users/AppleAdminAccount " & newPassword with administrator privileges
	end if
end try

dscl should work fine for what you’re trying to do.

However: Do not forget to change the login.keychain password as well:

do shell script "security set-keychain-password -o " & currentPassword & " -p " & NewPassword

Otherwise you’ll end up with hideous UX issues (being prompted after logging in, etc)

The problem is, you’ll need to know the users existing password, check that it’s correct and then move on

set passwordGood to false
set doshellresults to do shell script "ls -l /dev/console"
set loggedInUser to word 3 of doshellresults
repeat while not passwordGood
	display dialog "Enter the existing password for AppleAdminAccount " default answer "" with hidden answer
	set existingPassword to text returned of result
	try
		set dsclCheck to do shell script "dscl . -authonly '" & loggedInUser & "' " & existingPassword
		set passwordGood to true
	end try
end repeat

So, you’ve now tested the password and it’s good. Let’s now change the login.keychain. You’d place this line after the set mens_sana to true

do shell script "security set-keychain-password -o " & existingPassword & " -p " & newPassword

There is a lot more that you should do though, if you were being thorough:
Check that the new password complies with any password policy you’ve set
check that it has no white space
escape nasty characters like \

You get the drift

Hope that this helps

Paul “changing passwords on the mac is the bane of my life” fidler

First of thanks for the exchange!

Isn’t quoted form of enough to bypass those issues you’ve mentioned?

When using a do shell script it’s best to always use quoted form of especially when the given data is untrusted. What If I type “hello; rm -Rf $HOME” as my password (I know it’s an extreme example)? You’ll probably see that this new password will remove my entire home folder. When a user types a new password containing a semicolon(s) will create unexpected results and updating the administrator with a new password who nobody knows.

“quoted form of” should be used at all times. Completely agree

I also have a subroutine that also adds in extra \ where need be, which also works

Thanks for the feedback, everyone. Fantastic tip about the keychain.

Yes, this is a local admin which exists (or will be checked to exist) for every computer. The PC local admin account can be changed with AD group policy. The most straightforward way I see to make a similar change on Macs without involving something like Centrify is to send out a dscl command like that through endpoint management. Only the network admins will be deciding on what the local admin password should be, so I figured that I do not need to bother with any verification to match policy or complexity.

I have a script for creating the Hostname of the Mac which is then bound to AD, and it has a couple of more precise verification passes. One is a verification loop that spits it back if it is longer than 15 characters, (Our MS AD limitation), and the other which calls a shellscript SED command to strip out all spaces and anything that is not alphanumeric or a dash. I was going to post that on the forum as well.

But those passwords contains more often characters that are special characters for bash like dollar sign for example. So, yes, you should always use quoted form to avoid injection or parameter expansion in bash. A network admin will often choose a password containing upper and lower case characters, numbers and at least one special character.