Performing password resets on Yosemite with unsetpassword
One issue that can crop up for Mac admins is the problem of “I don’t want to know my users’ passwords, but I need to set up their accounts.” When setting up accounts from a directory service like Active Directory or Open Directory, this problem can be avoided because it’s relatively easy to set up a Mac to use an account from a directory service without ever needing to know the user’s password.
The situation is different for local users with admin privileges on a machine though, as the Mac admin has two ways to proceed:
- Set a password on the local account, then give the password to the user.
- Set the password of the local account to be blank.
The first approach means that the Mac admin knows the password, which is a security issue. The second approach means that there’s no password at all and the user may opt to keep it that way, which is a greater security issue.
To help address this issue, the new unsetpassword tool in Yosemite allows an admin to set up a new local account with admin rights, then remove the account’s existing password and require a new one be set on the next login.
The unsetpassword tool does not have a man page. To learn how it works, run the following command in the Terminal:
unsetpassword --help
One thing to be aware of is that while the password is removed, the account’s login keychain is not and will still be set to use the previous password. On login, the user will be prompted to create a new keychain.
To demonstrate how to use unsetpassword, I’ve made a video showing the following process:
- Running unsetpassword on the logged-in account
- The Mac shutting down
- Booting the Mac
- Setting a new password on the next login
- Choosing to create a new keychain
Note: The video has been edited to artificially reduce the amount of time it took to boot after the shutdown. Run time of the pre-edited video was 2 minutes, forty seconds.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
One could avoid the keychain drama by deleting the login.keychain right before running unsetpassword.
The fact it only works on admin users is strange and unwelcome.
If you want to accomplish something similar on Mavericks or earlier, or you want to unset the password on a non-admin account, you can login with an admin account (or an account with sudo rights) either via the GUI or via SSH and do this:
sudo dscl . passwd /Users/username “”
sudo pwpolicy -u username -setpolicy “newPasswordRequired=1”
sudo rm ~temp/Library/Keychains/login.keychain
(You might also want to remove the Local Items keychain — I leave that as an exercise for the reader)
pwpolicy -setpolicy is deprecated in Yosemite, but still works.
Sorry, that third command should be:
sudo rm ~username/Library/Keychains/login.keychain
I really should just be posting on my own blog…
And so I did: http://managingosx.wordpress.com/2014/12/20/unsetpassword-alternatives/
“When setting up accounts from a directory service like Active Directory or Open Directory, this problem can be avoided because it’s relatively easy to set up a Mac to use an account from a directory service without ever needing to know the user’s password.”
Can you provide an example of how? Do you mean change the users password to a temp password? then prompt to change password on next login?
Sure thing, see here: https://derflounder.wordpress.com/2011/08/12/creating-ad-or-od-mobile-users-from-the-command-line/
very nice. THANKS!
Just found this post and would be super useful in our environment if it weren’t for the fact that we use FileVault 2. Before I deploy our macs, I’ve already enabled FileVault 2 and the disk is already fully encrypted by the time it gets to the user. When I run this, it says that the password cannot be left blank with FileVault enabled. Any workarounds or other solutions?
Thanks!