Randomising password and keychains

[jelockwood]

I could not see any notes in the Wiki, issues i.e. here or Jamf Nation about this although I may have missed one.

Similar local admin password randomisation tools to this one typically fail to solve the issue of the fact then when the local admin account's password is changed via a script it then becomes out of sync with that user accounts 'Login' and 'Local Items' keychains. As an example this does apply to the similar macOSLAPS project.

Therefore this is a request to if not already covered include steps to change the passwords for the local admin account 'Login' and 'Local Items' keychains to match the new randomised password when this LAPSforMac script runs.

As far as I can see the following could be the basis or at least partial basis for such a solution:

#!/bin/sh
localAdmin="localadmin"
oldPassword="ye-olde-password"
newPassword="shiny-shiny-password"
if [ -e /Users/"$localAdmin"/Library/KeyChains/login.keychain ] 
then
    # old file name
    /usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/login.keychain
elif [ -e /Users/"$localAdmin"/Library/KeyChains/login.keychain-db ]
then
    # new file name
    /usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/login.keychain-db
fi
# Apparently the security command does not understand the 'Local Items' keychain however hypothetically…
# hardUUID=`system_profiler SPHardwareDataType | awk '/UUID/ { print $3; }'`
# /usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/"$hardUUID"/keychain-2.db
# Could simply delete the 'Local Items' keychains using the following
# /bin/rm -rf /Users/"$localAdmin"/Library/KeyChains/"$hardUUID"