As of macOS 10.13/14, this tool no longer works due to SIP protection on the location of the file that this was editing. This is merely a proof of concept now. If you are deploying devices older than 10.13, this tool will still work, however I would highly recommend upgrading your deployment solution.
When deploying laptops having a repeatable, manageable, scriptable solution to generate and list passwords for devices. This specific LAPS deals with Macs but the code can be modified or altered to check for a specific operating system and generate passwords that way.
Every device has the same administrator password. This isn't secure, scalable, or helpful.
If we need to give out the admin password for any reason, this allows us to do so, and generate a new password for replacement of the admin user per device.
The current way we are doing this for deployment is through the following:
- Create a virtual env
- Install pip modules into venv
- Place files into venv
- Package venv
- Place on deployment server
Currently you will need to modify your file to properly generate a password without removing the directory that the salt is placed in (which if done appropriately, should be the same folder your python script is).
Requirements
- Have a brew-compatible/installed python
Known compatible pip modules
- pyobjc 4.1
- biplist 1.0.3
- passlib 1.7.1
Directions
- Git clone this repository.
- Run
pip install -r requirements.txt - Use your favorite text editor and change the following lines (for now):
- Line 83 - modify
/tmp/password_gen_secrets/salt.fileto the path of your salt file location - Line 88 - modify
default=Truetodefault=False - Line 101 - modify
default=Falsetodefault=True
This will allow you to generate passwords for one time use on a new line in the console.
- Run the following command:
python lapsmac.py -sn SERIALNUMBERHERE - Type or give out administrator password for use