Sunday, July 22, 2018

#1 2014-08-01 05:07:41 pm

dajames
Member
Registered: 2014-07-04
Posts: 9

Script to change local admin account

I'm in the midst of designing a process for a College to manage our Macs as simply as possible.  We'll be using IEM BigFix for endpoint management, and I am attempting to put a lot of basic configuration tools into Applescripts so that our student workers will be able to click and go when configuring Macs, whether they are familiar with Macs or not.

I created this script this afternoon with the hope that I can turn this into something which can be distributed as an application through BigFix (or a modified version, saved as FixLets, another kind of technical issues, entirely) so that we can send out a change to the local admin user we put on all Macs.

Please critique whether this makes sense or not.

Also, these are not the actual names of the local admin, obviously, and eventually my buttons and feedback to the users will be far less sarcastic.

Applescript:


try
   set mens_sana to false
   repeat while mens_sana is false
       display dialog "Enter the new password for AppleAdminAccount " default answer "" with hidden answer
       set newPassword to text returned of result
       
       display dialog "Enter it one more time to validate that they are the same" default answer "" with hidden answer
       set nudePassword to text returned of result
       
       if newPassword = nudePassword then
           set mens_sana to true
       else
           display dialog "Tsk. Watch your typing. Go for another lap?" with icon note buttons {"Go on – I'll get it this time", "No more – I suck"} default button 1
           if result = {button returned:"No more – I suck"} then exit repeat
       end if
       
   end repeat
end try

-- now that the previous unpleasantness is behind us, we commence with the fun

try
   if newPassword = nudePassword then
       do shell script "dscl . -passwd /Users/AppleAdminAccount " & newPassword with administrator privileges
   end if
end try

Last edited by dajames (2014-08-01 05:08:57 pm)

Offline

 

#2 2014-08-04 06:03:17 am

Woggledog
Member
Registered: 2012-12-06
Posts: 150

Re: Script to change local admin account

dscl should work fine for what you're trying to do.

However: Do not forget to change the login.keychain password as well:

Applescript:

do shell script "security set-keychain-password -o " & currentPassword & " -p " & NewPassword

Otherwise you'll end up with hideous UX issues (being prompted after logging in, etc)

The problem is, you'll need to know the users existing password, check that it's correct and then move on

Applescript:

set passwordGood to false
set doshellresults to do shell script "ls -l /dev/console"
set loggedInUser to word 3 of doshellresults
repeat while not passwordGood
   display dialog "Enter the existing password for AppleAdminAccount " default answer "" with hidden answer
   set existingPassword to text returned of result
   try
       set dsclCheck to do shell script "dscl . -authonly '" & loggedInUser & "' " & existingPassword
       set passwordGood to true
   end try
end repeat

So, you've now tested the password and it's good. Let's now change the login.keychain. You'd place this line after the set mens_sana to true

Applescript:

do shell script "security set-keychain-password -o " & existingPassword & " -p " & newPassword

There is a lot more that you should do though, if you were being thorough:
Check that the new password complies with any password policy you've set
check that it has no white space
escape nasty characters like \

You get the drift

Hope that this helps

Paul "changing passwords on the mac is the bane of my life" fidler

Offline

 

#3 2014-08-04 07:48:55 am

DJ Bazzie Wazzie
Member
From:: the Netherlands
Registered: 2004-10-20
Posts: 2778
Website

Re: Script to change local admin account

Woggledog wrote:

Check that the new password complies with any password policy you've set
check that it has no white space
escape nasty characters like \


First of thanks for the exchange!

Isn't quoted form of enough to bypass those issues you've mentioned?

When using a do shell script it's best to always use quoted form of especially when the given data is untrusted. What If I type "hello; rm -Rf $HOME" as my password (I know it's an extreme example)? You'll probably see that this new password will remove my entire home folder. When a user types a new password containing a semicolon(s) will create unexpected results and updating the administrator with a new password who nobody knows.

Offline

 

#4 2014-08-04 09:18:12 am

Woggledog
Member
Registered: 2012-12-06
Posts: 150

Re: Script to change local admin account

"quoted form of" should be used at all times. Completely agree

I also have a subroutine that also adds in extra \ where need be, which also works

Offline

 

#5 2014-08-04 04:36:15 pm

dajames
Member
Registered: 2014-07-04
Posts: 9

Re: Script to change local admin account

Thanks for the feedback, everyone.  Fantastic tip about the keychain.

Yes, this is a local admin which exists (or will be checked to exist) for every computer.  The PC local admin account can be changed with AD group policy.  The most straightforward way I see to make a similar change on Macs without involving something like Centrify is to send out a dscl command like that through endpoint management.  Only the network admins will be deciding on what the local admin password should be, so I figured that I do not need to bother with any verification to match policy or complexity.

I have a script for creating the Hostname of the Mac which is then bound to AD, and it has a couple of more precise verification passes.  One is a verification loop that spits it back if it is longer than 15 characters, (Our MS AD limitation), and the other which calls a shellscript SED command to strip out all spaces and anything that is not alphanumeric or a dash.  I was going to post that on the forum as well.

Offline

 

#6 2014-08-05 03:23:53 am

DJ Bazzie Wazzie
Member
From:: the Netherlands
Registered: 2004-10-20
Posts: 2778
Website

Re: Script to change local admin account

dajames wrote:

Only the network admins will be deciding on what the local admin password should be, so I figured that I do not need to bother with any verification to match policy or complexity.


But those  passwords contains more often characters that are special characters for bash like dollar sign for example. So, yes, you should always use quoted form to avoid injection or parameter expansion in bash. A network admin will often choose a password containing upper and lower case characters, numbers and at least one special character.

Offline

 

Board footer

Powered by FluxBB

RSS (new topics) RSS (active topics)