Description: I am attempting to use the OpenDirectory API ODRecord.changePassword to change a user's password without needing the old password, given that I have the appropriate permissions. The goal is to ensure that the password change operation bypasses third-party tools such as EDR or eBPF apps that might otherwise intercept commands, as the operation occurs directly via the API. Problem: When invoking the OpenDirectory API from a launch daemon with root privileges, I receive the following error message: Error Domain=com.apple.OpenDirectory Code=4001 "Operation was denied because the current credentials do not have the appropriate privileges." UserInfo={NSUnderlyingError=0x135907570 {Error Domain=com.apple.OpenDirectory Code=4001 "Credential cannot update user's SecureToken" UserInfo={NSDescription=Credential cannot update user's SecureToken}}, NSLocalizedDescription=Operation was denied because the current credentials do not have the appropriate privileges., NSLocalizedFailureReason=Operation was denied because the current credentials do not have the appropriate privileges.} It seems the error is related to SecureToken, and the underlying issue is that the current credentials (even though they are root-level) do not have the necessary privileges to update the SecureToken status for the user. Steps I’ve Taken: Tested the API via a launch daemon running with root privileges. Ensured that Full Disk Access was granted to the daemon, but this did not resolve the issue. Request: Has anyone encountered this specific issue where root privileges are insufficient to update the user password via the OpenDirectory API ? What additional steps or permissions are required for a user password change? Is there a specific API or method to elevate the privileges for modifying SecureToken, or a workaround to overcome this limitation? Any insights or guidance on this issue would be greatly appreciated! Thank you in advance for your help!

Previously, I used to have the below code to get workgroup / domain name of the active directory service provider. SCDynamicStoreRef storeRef = SCDynamicStoreCreate(NULL, (CFStringRef)@"GetWorkgroup", NULL, NULL); CFPropertyListRef global = SCDynamicStoreCopyValue (storeRef,CFSTR("State:/Network/Global/SMB")); id workgroup = [(__bridge NSDictionary *)global valueForKey:@"Workgroup"]; On few Macs (probably starting from Sonoma), the workgroup property is not set. What is the alternative to get this information programatically?

Is there any conceptual information for using the Open Directory Framework. The current documentation just lists function names, constants, etc. with nothing on how to use. I looked in the Apple archived documentation, but nothing. Seems like macOS developer documentation has been getting worse over time. Thanks, Richard

I have used functionality of changing user's password programmatically using the OpenDirectory framework. Once the password is updated successfully, can be use this password for Login sessions and authentication wherever required. But the same password is failing authenticate with Local Authentication Framework that is with LAContext and prefers always older password. Even restarting machine won't work. Changing current user's password using below method - do { let node = try ODNode(session: ODSession.default(), type: ODNodeType(kODNodeTypeLocalNodes)) let user = try node.record(withRecordType: kODRecordTypeUsers, name: NSUserName(), attributes: nil) try user.changePassword(currentPassword, toPassword: newPassword) print("Password changed successfully") } catch var error { print(error) } Once password is updated, then trying to authenticate password with LAContext using, let context = LAContext() context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "AuthenticationMessage".localized()) { success, error in DispatchQueue.main.async { completion(success, error) } print("authentication error = (String(describing: error?.localizedDescription))") } It won't accept the updated password. Any idea how to solve this problem?

I want to get the network-name (domain-name) on my Mac-Machine. Where iin the Settings does this domain name gets configured. I refer to this page which talks about computer name and host name, I could find where my hostname is present (Settings->General->Sharing->local host name) but not anything related to the network-name (local -domain) . Even try to fetch this info using the linux api to getdomainname, api call succeeded but it returns Nothing. #include <iostream> #include <unistd.h> #include <limits.h> #include <cstring> int main() { char domainname[255]; // Get the domain name if (getdomainname(domainname, 255) != 0) { std::cout << "Error getting domain name" << std::endl; return 1; } std::cout << "Domain name: " << domainname << std::endl; return 0; } Output Domain name: I even came across Search-Domains, Does it have anything to do with the network-name (domain name of the machine)?