Ok so here is the deal. You have a company… you have local admin accounts… so you don’t need any passwords to install updates etc.

Well your users set a password on their screensaver and you don’t know it…. toast right???? NOPE

Two ways to do this either ssh to the machine with the local admin account and change the following file or push a replacement through ARD to the client. NO reboot is needed and it will work right away


The contents need to be changed to the following (In between the lines)

auth optional pam_krb5.so
auth required pam_opendirectory.so nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account sufficient pam_group.so no_warn group=admin wheel fail_safe
account required pam_group.so no_warn deny group=admin wheel ruser fail_safe

Once that change is made you can right away unlock the screensaver with your local admin password and keep on keepin’ on.