search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
382 stars 57 forks source link

Few problems #32

Closed ThrashinVictim closed 5 years ago

ThrashinVictim commented 5 years ago
  1. After I run macoslaps, it deletes the plist.
  2. it seems to be not reading the plist.
  3. it is stating "unable to connect to local directory. and the admin name is wrong even though I changed it in PLIST.

Not sure what I am doing wrong.

Thank you.

joshua-d-miller commented 5 years ago

@liamrpowell how are you creating the PLIST? Are you using the defaults command or are you just placing a PLIST file in /Library/Preferences/?

ThrashinVictim commented 5 years ago

Thanks for the reply. I am placing the plist file in /Library/Preferences/.

joshua-d-miller commented 5 years ago

so when placing a PLIST file in that directory you may need to run killall cfprefsd before running LAPS as will not have synchronized yet. The safest thing to do is to either create each preference like so:

defaults write /Library/Preferences/edu.psu.macoslaps LocalAdminAccount "youradmin" defaults write /Library/Preferences/edu.psu.macoslaps PasswordLength -int 12 defaults write /Library/Preferences/edu.psu.macoslaps DaysTillExpiration -int 60

This way the preferences are synchronized right away. The other thing you could do is use Tim Sutton's mcxToProfile which would create a configuration profile out of the PLIST. That would also take effect right away. Lastly and probably the best method would be to create a configuration profile in an MDM such as jamf Pro or Airwatch. I realize you may not have those options but the immediate and easiest solution would be either using the defaults command for each entry in the PLIST or using killall cfprefsd as an admin to synchronize preferences.

Hope this helps

ThrashinVictim commented 5 years ago

Thanks, I did the defaults write with my settings. But still getting "unable to connect to local directory."

joshua-d-miller commented 5 years ago

@liamrpowell Do you know if your local admin is a secureToken user?

ThrashinVictim commented 5 years ago

yes.

joshua-d-miller commented 5 years ago

@liamrpowell You will need to specify the FirstPass attribute as in order to change the password for a secureToken user we must know the old password. Once the password has been changed once, the new password is always stored in the System.keychain to reference for the next change.

ThrashinVictim commented 5 years ago

What is the correct syntax to enable that?

joshua-d-miller commented 5 years ago

You would just need to specify the FirstPass key by either configuration profile or the defaults command so something like:

defaults write /Library/Preferences/edu.psu.macoslaps FirstPass "InitialPasswordOfAccountHere"

ThrashinVictim commented 5 years ago

Ok, but if I put the password there wouldnt it stay in the edu.psu.macoslaps.plist file?

joshua-d-miller commented 5 years ago

Yes but this is a burner password that won't mean anything once the utility has run. Most people when they install macOSLAPS which is usually at the time of building the device will run the utility which makes the password random. In efforts to secureToken this was the best method. I am currently exploring other methods to make this even better.

ThrashinVictim commented 5 years ago

Thanks for the info.