Home > Mac administration, Mac OS X > Performing password resets on Yosemite with unsetpassword

Performing password resets on Yosemite with unsetpassword

One issue that can crop up for Mac admins is the problem of “I don’t want to know my users’ passwords, but I need to set up their accounts.” When setting up accounts from a directory service like Active Directory or Open Directory, this problem can be avoided because it’s relatively easy to set up a Mac to use an account from a directory service without ever needing to know the user’s password.

The situation is different for local users with admin privileges on a machine though, as the Mac admin has two ways to proceed:

  1. Set a password on the local account, then give the password to the user.
  2. Set the password of the local account to be blank.

The first approach means that the Mac admin knows the password, which is a security issue. The second approach means that there’s no password at all and the user may opt to keep it that way, which is a greater security issue.

To help address this issue, the new unsetpassword tool in Yosemite allows an admin to set up a new local account with admin rights, then remove the account’s existing password and require a new one be set on the next login.

The unsetpassword tool does not have a man page. To learn how it works, run the following command in the Terminal:

unsetpassword --help

Screen Shot 2014-12-19 at 9.32.45 PM

One thing to be aware of is that while the password is removed, the account’s login keychain is not and will still be set to use the previous password. On login, the user will be prompted to create a new keychain.

Screeny Video Dec 19, 2014, 9.24 8091

To demonstrate how to use unsetpassword, I’ve made a video showing the following process:

  1. Running unsetpassword on the logged-in account
  2. The Mac shutting down
  3. Booting the Mac
  4. Setting a new password on the next login
  5. Choosing to create a new keychain

Note: The video has been edited to artificially reduce the amount of time it took to boot after the shutdown. Run time of the pre-edited video was 2 minutes, forty seconds.

  1. December 20, 2014 at 6:22 am

    One could avoid the keychain drama by deleting the login.keychain right before running unsetpassword.

  2. December 20, 2014 at 6:24 am

    The fact it only works on admin users is strange and unwelcome.

  3. December 20, 2014 at 6:53 am

    If you want to accomplish something similar on Mavericks or earlier, or you want to unset the password on a non-admin account, you can login with an admin account (or an account with sudo rights) either via the GUI or via SSH and do this:

    sudo dscl . passwd /Users/username “”
    sudo pwpolicy -u username -setpolicy “newPasswordRequired=1”
    sudo rm ~temp/Library/Keychains/login.keychain

    (You might also want to remove the Local Items keychain — I leave that as an exercise for the reader)

    pwpolicy -setpolicy is deprecated in Yosemite, but still works.

  4. December 20, 2014 at 6:58 am

    Sorry, that third command should be:

    sudo rm ~username/Library/Keychains/login.keychain

    I really should just be posting on my own blog…

  5. Rhett Johnson
    December 23, 2014 at 6:33 pm

    “When setting up accounts from a directory service like Active Directory or Open Directory, this problem can be avoided because it’s relatively easy to set up a Mac to use an account from a directory service without ever needing to know the user’s password.”

    Can you provide an example of how? Do you mean change the users password to a temp password? then prompt to change password on next login?

  6. Rhett Johnson
    December 23, 2014 at 6:58 pm

    very nice. THANKS!

  7. JohnR
    August 30, 2016 at 6:43 pm

    Just found this post and would be super useful in our environment if it weren’t for the fact that we use FileVault 2. Before I deploy our macs, I’ve already enabled FileVault 2 and the disk is already fully encrypted by the time it gets to the user. When I run this, it says that the password cannot be left blank with FileVault enabled. Any workarounds or other solutions?
    Thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: