Given a valid personal recovery key and an existing user this script elevates the PRK to an actual user and destroys and re-creates the given user with a default password and secure token.

promote_personal_recovery_key_to_admin_user.sh

#!/bin/bash

#
# Call this script with the arguments [personal recovery key] [the name of a user to "reset"]
# i.e. "promote_personal_recovery_key_to_admin_user.sh 6323-AHJD-1231-4234-GHJ1-FH23 user1"
# a new user called "another" user is generated. It has the prk with a dash at the end for a password
# a new prk is generated and the user to reset is re-created with the password "password" and a
# newly minted secure token

#set -x
PRK="$1"
USERTORECOVER="$2"
#NEWPASSWORDFORRECOVEREDUSER="$3"
NEWPASSWORDFORRECOVEREDUSER="password"

if [[ "$(whoami)" != "root" ]]; then
echo "This script must be run as root"
exit 1
fi

fdesetup validaterecovery -inputplist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Password</key>
	<string>${PRK}</string>
</dict>
</plist>
EOF
if [[ $? != 0 ]]; then
echo "Failed to validate given personal recovery key\!"
exit 1
fi

if ! id "$USERTORECOVER" &>/dev/null ; then
echo "User $USERTORECOVER doesn't exist\!"
exit 1
fi

if id prk &>/dev/null ; then
echo "User prk already exists\!"
exit 1
fi

echo "Creating prk user"
dscl . create /Users/prk GeneratedUID EBC6C064-0000-11AA-AA11-00306543ECAC
dscl . create /Users/prk UniqueID 510
dscl . create /Users/prk PrimaryGroupID 80
dscl . create /Users/prk NFSHomeDirectory /Users/prk
dscl . create /Users/prk RealName prk
dscl . create /Users/prk UserShell /bin/zsh
dscl . create /Users/prk AuthenticationAuthority ';SecureToken;'
dscl . passwd /Users/prk $PRK $PRK

NUMBEROFANOTHERUSER=$((1+$(dscl . list /Users |grep anotheruser|wc -l)))
if [[ $NUMBEROFANOTHERUSER == 1 ]]; then NUMBEROFANOTHERUSER=""; fi
ANOTHERUSERNAME="anotheruser${NUMBEROFANOTHERUSER}"
ANOTHERPASSWORD="${PRK}-"
echo "Creating user ${ANOTHERUSERNAME}"
sysadminctl -addUser "${ANOTHERUSERNAME}" -password $ANOTHERPASSWORD -admin -adminUser prk -adminPassword $PRK

echo "Deleting prk user"
sysadminctl -deleteUser prk


DSEXPORTFILE=$(mktemp)
echo "Exporting user $USERTORECOVER"
dsexport -r "$USERTORECOVER" -e dsAttrTypeStandard:AuthenticationAuthority "$DSEXPORTFILE" /Local/Default Users

echo "Deleting user $USERTORECOVER"
dscl . delete "/Users/${USERTORECOVER}"

echo "Restoring user $USERTORECOVER"
dsimport "$DSEXPORTFILE" /Local/Default O
#dscl . create "/Users/${USERTORECOVER}" AuthenticationAuthority ';Disabled;SecureToken'

echo "Setting default password for user $USERTORECOVER"
dscl . passwd  "/Users/${USERTORECOVER}" "$NEWPASSWORDFORRECOVEREDUSER"

echo "Assigning secure token to user $USERTORECOVER"
sysadminctl -secureTokenOn "$USERTORECOVER" -password "$NEWPASSWORDFORRECOVEREDUSER" -adminUser ${ANOTHERUSERNAME} -adminPassword "$ANOTHERPASSWORD"
sysadminctl -secureTokenStatus "$USERTORECOVER"


echo "Generating new personal recovery key"
fdesetup changerecovery -personal -outputplist -inputplist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Username</key>
	<string>${ANOTHERUSERNAME}</string>
	<key>Password</key>
	<string>${ANOTHERPASSWORD}</string>
</dict>
</plist>
EOF