Have you ever wanted or needed to change a user’s password policies from the command line? Read on to find out how
pwpolicy can help you manage user’s passwords without Workgroup Manager.If I had to pick just one nit to pick with Apple it would be the seemingly accidental secrecy that many of their products exist in. From the old ColorSync displays to the CLI bits of Mac OS X Server Apple seems to not care about letting people know about the cool stuff that they have.
pwpolicy, like many Mac OS X Server components is a good example of this. It can be a very useful tool, but it gets a grand total of two sentences in the Command Line Administration manual. And the two lines that it gets is just to tell you to read the man page!
As I said earlier,
pwpolicy is the CLI tool for adjusting the password policies of your Password Server users. (As of 10.3.4 or so you can also use
pwpolicy on the client on non-PWS users as well but it’s functionality seems to be limited.) Let’s say for example that I wanted to do something as simple as change a user’s password:
pwpolicy -a pws_admin -u usertochange -setpassword newpassword
Or you can do more complicated things. Let’s say I want to set a global policy that says passwords must be a minimum of 6 characters, a user can’t use a password that they have used in the previous 4 passwords, it must contain at least one number, and it must be changed every 30 days:
pwpolicy -a pws_admin -setglobalpolicy "minChars=6 usingHistory=4 requiresNumeric=1 maxMinutesUntilChangePassword=43200"
(Command is all one line of course…)
If I wanted to see what the global policies are set to I would use:
Some settings are by user, not global. These include:
Now you might be wondering why the heck you should care about using
pwpolicy since Workgroup Manger can set all of these settings, and it can even do them with bulk edits. That’s a good point, but what if you can’t get to a Workgroup Manager session? I can use
pwpolicy via an ssh session from a Windows box if need be, and there is one more great use for
Say you are using Joel’s spiffy OD adduser script but you want the users to be created with a default password and set the password policy to force a change on first login. You could just add a:
pwpolicy -a pws_admin -p pws_admin_password -u usertochange -setpolicy"newPasswordRequired=1"
(All one line of course and make sure to keep this script secure since it now has a password in it.)
to the end of the adduser script.
Here is another useful tip: Mac OS X Server dosen’t have a “login hours” type setting that can restrict the times a user can use a workstation. We can fake that setting with
First we need two simple shell scripts. One to disable the accounts and a second to enable them.
pwpolicy -a pws_admin -p pws_admin_password -u usertochange -setpolicy"isDisabled=1"
pwpolicy -a pws_admin -p pws_admin_password -u anotherusertochange -setpolicy"isDisabled=1"
The second script is the same except that “isDisabled=0” is the command. Then you just need to schedule the first one to run when you want to lock the users out and the re-enabling script when you want to let them back in. Note that this won’t force a logout on an active session, but it will stop any authentication attempts for that account until it is re-enabled.
As always, take a look a the pwpolicy man page for more info. I need to mention though that the current man page isn’t up to date with the current binary. The only difference is that the man page lacks the -convertdate option which will convert a human readable date (mm/dd/yy) into a GMT long number that can be used by the expirationDateGMT or hardExpireDateGMT policies.