How do I lock a user's password?

1

Most Linux distros I've used have a passwd program which can be used to do things like forcibly expire passwords, or lock them to temporarily prevent password-based login. OS X does have a passed program, but from its manual page, it doesn't seem to have any of these features. The Users & Groups preference pane doesn't seem to offer anything either save for a Reset Password… button, which is really not what I'm looking for.

How do I temporarily disable a user's password in OS X in such a way that I can reenable it without actually changing it?

Blacklight Shining

Posted 2013-02-21T15:23:07.137

Reputation: 2 127

Answers

1

Use pwpolicy. I don't think all of its options are available with local accounts, but you can certainly disable accounts with it:

sudo pwpolicy -u someusername -setpolicy isDisabled=1

Gordon Davisson

Posted 2013-02-21T15:23:07.137

Reputation: 28 538

0

I haven't tested this, but it applies to some unspecified version of OS X, so you might want to be careful (try it with a dummy user account):

For OS X 10.5 or older

Source article from hints.macworld

We can use the command line or NetInfo Manager to accomplish this. I will show the commands via the Terminal command line because it is easier for me. To disable the account, we insert the *: 

sudo niutil -insertval . /users/user-in-question passwd '*' 0

And to re-enable it, we remove the *:

sudo niutil -destroyval . /users/user-in-question passwd '*'

For OS X versions newer than 10.5

See this ServerFault question and the related answers. It's basically an exact duplicate of this question but for "OS X Server", which is basically the same as OS X as far as CLI administration is concerned.

By "disable password", I assume you mean "prevent from logging in". If that is not the case, then please clarify what you actually mean by "disable password", as this is a vague or unclear idea.

allquixotic

Posted 2013-02-21T15:23:07.137

Reputation: 32 256

I'm on Mountain Lion, which doesn't seem to have a niutil program at all. – Blacklight Shining – 2013-02-21T15:42:30.903

Sorry. http://stackoverflow.com/a/856531/420156

– allquixotic – 2013-02-21T15:48:38.263

Err, how is that related? – Blacklight Shining – 2013-02-21T15:51:52.213

Oh, niutil was replaced by dscl. dscl doesn't seem to have insertval or destroyval commands, though. – Blacklight Shining – 2013-02-21T15:54:17.313

If you have not tested it, why even suggest it, considering the command actually DOES not work. – Ramhound – 2013-02-21T16:46:06.557

He said OS X, and didn't state what version. It'd be like giving advice to click on the Start Menu to someone who says they're running "Windows" when they're actually running Windows 8. By not being specific, the burden is on the OP to clarify, not on me to magically divine what version he is using. – allquixotic – 2013-02-21T16:53:58.747

@Ramhound Okay, so I didn't test it, but given that which niutil returned a not-found error, I think it's safe to assume that niutil $anything would only get me zsh: command not found: niutil. – Blacklight Shining – 2013-02-21T17:25:19.923

@allquixotic Apologies. I did actually add the osx-mountain-lion tag to the question when I said in a comment that I was on Mountain Lion. By “disable password”, I meant the equivalent of Linux's sudo passwd --lock, which adds a leading ! to the password field of the relevant line in /etc/shadow, thus rendering the password hash invalid in an easily-undoable manner. This prevents password-based logins for that account in such a way that I can reenable [the password] without actually changing it, as I asked. OS X doesn't have such a passwd option, however, so I posted here. – Blacklight Shining – 2013-02-21T17:26:41.780

Asked: 2013-02-21T15:23:07.137

Viewed: 392 times

Active: 2013-02-21T16:59:07.090