Help

Recreating Management Accounts

wdfraser
New Contributor

Posted on ‎09-20-2012 02:03 PM

I was wondering if anyone knew how to update the password for a computers management account via the API or via a script. Or, also if someone knows a better solution to the following problem.

My situation is this: We use the JSS quickadd package to create a hidden management account. We also randomize all the management account passwords once per week. When a user upgrades their machine from 10.6 or 10.7 to 10.7 or 10.8 all "service" (sub 500) are removed as part of the installation process,leaving us without a management account. In the past we used to detect if the account was missing, and redeploy a quickadd package via policy if this was the case, however with the change to enrollment this would wipe all the location data for machines. I have put a script together to recreate our hidden management account, similar to what we use to create our hidden local admin account, however I have no way to update the password field on the JSS for the computer information.

Does anyone know a solution to this issue, whether it be how to update the password in the JSS or another solution for recreating the management account.

0 Kudos
2 REPLIES 2

yr_joelbruner
New Contributor III

Posted on ‎03-22-2013 01:09 PM

You know, I think you hit the nail on the head for the issue/solution:

"When a user upgrades their machine from 10.6 or 10.7 to 10.7 or 10.8 all "service" (sub 500) are removed as part of the installation process,leaving us without a management account."

The answer then is to make the UID not below 500! I just tested this theory out by changing the UID on caspermanage to 666 and did an upgrade from 10.7 to 10.8 and it was still there, yay!

Here's the one liner command:
dscl localhost -change /Local/Default/Users/caspermanage UniqueID 80 666

Of course use any UID value you feel comfortable with :)

0 Kudos

rtrouton
Release Candidate Programs Tester

Posted on ‎03-22-2013 01:24 PM

You could also create an EA to check for the presence of the hidden management user and push a QuickAdd installer if the hidden user isn't found. The QuickAdd should put the hidden user account back.

If you want to make the process independent of Casper, you could have a QuickAdd package hosted on a web server and a launchdaemon / script on your machines. The launchdaemon would run the script, which in turn would check for the presence of the hidden account. If the user account isn't found, use curl to download the QuickAdd. Once downloaded, the script installs the QuickAdd and puts back the management account (and possibly the Casper agent as well.)

0 Kudos