One issue that can crop up for Mac admins is the problem of “I don’t want to know my users’ passwords, but I need to set up their accounts.” When setting up accounts from a directory service like Active Directory or Open Directory, this problem can be avoided because it’s relatively easy to set up a Mac to use an account from a directory service without ever needing to know the user’s password.
The situation is different for local users with admin privileges on a machine though, as the Mac admin has two ways to proceed:
- Set a password on the local account, then give the password to the user.
- Set the password of the local account to be blank.
The first approach means that the Mac admin knows the password, which is a security issue. The second approach means that there’s no password at all and the user may opt to keep it that way, which is a greater security issue.
To help address this issue, the new unsetpassword tool in Yosemite allows an admin to set up a new local account with admin rights, then remove the account’s existing password and require a new one be set on the next login.
The unsetpassword tool does not have a man page. To learn how it works, run the following command in the Terminal:
unsetpassword --help
One thing to be aware of is that while the password is removed, the account’s login keychain is not and will still be set to use the previous password. On login, the user will be prompted to create a new keychain.
To demonstrate how to use unsetpassword, I’ve made a video showing the following process:
- Running unsetpassword on the logged-in account
- The Mac shutting down
- Booting the Mac
- Setting a new password on the next login
- Choosing to create a new keychain
Note: The video has been edited to artificially reduce the amount of time it took to boot after the shutdown. Run time of the pre-edited video was 2 minutes, forty seconds.
