How to Retrieve Mac OS X 10.8 Active Directory Computer Account Password
Written on January 11, 2013

Active Directory bound Mac OS X computers traditionally stored the computer account credentials in /Library/Preferences/DirectoryService/ActiveDirectory.plist. As of OS X 10.7, this has been moved to the (theoretically) more secure System Keychain. Because of this, a slightly different method has to be employed to extract the computer account password. Fortunately, this is easier than the old plist method. Simply run the following command in Terminal as root (or any sudoer):

security find-generic-password –sw "/Active Directory/MARGIESTRAVEL" /Library/Keychains/System.keychain

This command broken down:

If you want your script to be redistributable (hint: you do), you can do the following to get the name of the computers’ domain:

dscl localhost –list "/Active Directory"

This will return the name of the computer’s domain. You could update the command above to implement this like so:

security find-generic-password –w -s "/Active Directory/$(dscl localhost –list '"/Active Directory")" /Library/Keychains/System.keychain

All we’re doing here is replacing the “MARGIESTRAVEL” component of the name of the keychain item with the command that asks dscl for the name of the computer’s domain. Easy!

P.S. here’s how to get the AD computer account name as well. Doesn’t deserve a blog post, but an interesting little snippet:

security find-generic-password -s "/Active Directory/MARGIESTRAVEL" /Library/Keychains/System.keychain | grep -m 1 "acct" | sed -e 's/"acct"<blob>\="//' -e 's/"//' | tr -d ' '

(This one just returns the whole keychain item and looks for the first line containing “Acct”. It then removes all the useless info around the outside of the computer name.

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@chris@aus.social) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.