Some of our pupils need very simple login credentials while staff still need to be locked down. Server.app's one-size-fits-all approach to password policy really doesn't work for us in this respect but there is a work around.
From 10.10 onwards, pwpolicy deprecated a whole bunch of commands and introduced an xml-based system for managing passwords called 'accountpolicies'. The best place to start on these is..
man pwpolicy
The guidance is rather patchy and there is no clear explanation of all the possible policy parameters, but we play with the global policy in the GUI in Server.app, export the settings we want, then apply them via the command line or a script to specific users or groups. This works for Local Users AND Local Network Users (OpenDirectory) Accounts equally well.
So start like this..
- Install Server.app on a client machine
- Open Server.app
- Click on Users in the left-hand pane
- Select either the Local Users of Local Network Users from the drop-down (either works just the same and are interchangeable).
- Click the cog at the bottom and choose 'Edit Password Policy'
- Choose your preferred policy options
- Click OK
If you set your policy in Server.app for Local users enter the following: -
sudo pwpolicy -getaccountpolicies > MyPolicies.xml
..or if you set them for Local Network Users enter: -
sudo pwpolicy
Great! You should now have a plist with all your policies you want to apply to specific users. You can now turn off the GlobalPolicy you set back in Server.app by unticking all the boxes, or from the command line enter: -
For Local Users...
sudo pwpolicy -clearaccountpolicies
For Local Network Users..
sudo pwpolicy -a
Now to apply this policy to a user is just as straight forward: -
For Local Users...
sudo pwpolicy -u
For Local Network Users..
sudo pwpolicy
For bonus points, here's a script which will apply the policy to a particular user group (eg. staff in my case).
#!/bin/bash
diradminuser=
diradminpw=
group=
pwpolicy=/usr/bin/pwpolicy
policyxml=/path/to/MyPolicy.xml
USERS=$(dscl /LDAPv3/127.0.0.1 -read /Groups/"$group" Member | tr " " "\n" | grep -v "Member:" | sort)
for USER in $USERS;do
echo setting policy for user: $USER
echo $pwpolicy -a $diradminuser -p $diradminpw -u $USER -setaccountpolicies "$policyxml"
done
Good luck :)