2

Prior to Mac OS X Yosemite, admins were able to disable a Open Directory user by taking advantage of the pwpolicy command below:

pwpolicy -a diradmin -p password -u username -disableuser  

or

pwpolicy -a diradmin -p password -u username -setpolicy 'isdisabled=1'

However, since updating to Yosemite, users are not actually disabled with these settings and they are deprecated in the MAN pages. Terminal will process them like they are successful, but the Server Admin GUI will still show the users as active, and they will still be able to access shared files.

According to the pwpolicy man page "Account Policies" are the replacement for the various deprecated pwpolicy commands as seen at http://www.manpagez.com/man/8/pwpolicy/. I'm having a bit of difficulty deciphering the format though. I simply need to disable a user, and I'm not finding the correct keyword setup.

Does anyone have any experience or suggestions?

Thanks!

Cosmic Ossifrage
  • 1,610
  • 14
  • 23
FKICK
  • 21
  • 2

2 Answers2

1

In El Capitan, you can use this:

pwpolicy -u target -disableuser

To reverse

pwpolicy -u target -enableuser
jbruni
  • 111
  • 1
0

I am about to delve into this myself.

in Mavericks, you could use pwpolicy to set items, but to really see where they were stored, you used:

dscl . -read /Users/username PasswordPolicyOptions

so...... I just tried:

sudo dscl . -read /Users/ruthann accountPolicyData

and I got just a cryptic little response. So I guess we have to

dsAttrTypeNative:accountPolicyData:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>creationTime</key>
    <real>1424277729.05691</real>
    <key>passwordLastSetTime</key>
    <real>1424293590.9081411</real>
</dict>
</plist>

The times are in "Unix time" seconds since 1/1/1970 00:00.

I am concerned with setting lengths and expirations and complexities. I will cruise over to Appple to see what I can find out as I want to be able to change my password on this machine and anything I try is rejected because it doesn't match the policy.

Sven
  • 97,248
  • 13
  • 177
  • 225