Wednesday 7 December 2016

Set Password policy for specific users or groups in MacOS 10.10+

Working in a SEN (Special Educational Needs) School with a single user directory has its issues...

Some of our pupils need very simple login credentials while staff still need to be locked down. Server.app's one-size-fits-all approach to password policy really doesn't work for us in this respect but there is a work around.


From 10.10 onwards, pwpolicy deprecated a whole bunch of commands and introduced an xml-based system for managing passwords called 'accountpolicies'.  The best place to start on these is..

man pwpolicy

The guidance is rather patchy and there is no clear explanation of all the possible policy parameters, but we play with the global policy in the GUI in Server.app, export the settings we want, then apply them via the command line or a script to specific users or groups.  This works for Local Users AND Local Network Users (OpenDirectory) Accounts equally well.

So start like this..

  1. Install Server.app on a client machine
  2. Open Server.app
  3. Click on Users in the left-hand pane
  4. Select either the Local Users of Local Network Users from the drop-down (either works just the same and are interchangeable).
  5. Click the cog at the bottom and choose 'Edit Password Policy' 
  6. Choose your preferred policy options
  7. Click OK
Now we've set the options we want for all accounts, we can extract a plist (xml file) with the raw settings using the terminal.

If you set your policy in Server.app for Local users enter the following: -
sudo pwpolicy -getaccountpolicies > MyPolicies.xml

..or if you set them for Local Network Users enter: -
sudo pwpolicy -a  -p  -u  -getaccountpolicies > MyPolicies.xml

Great!  You should now have a plist with all your policies you want to apply to specific users.  You can now turn off the GlobalPolicy you set back in Server.app by unticking all the boxes, or from the command line enter: -

For Local Users...
sudo pwpolicy -clearaccountpolicies

For Local Network Users..
sudo pwpolicy -a  -p  -clearaccountpolicies

Now to apply this policy to a user is just as straight forward: -

For Local Users...
sudo pwpolicy -u -setaccountpolicies /path/to/MyPolicies.xml

For Local Network Users..
sudo pwpolicy -a  -p  -u   -setaccountpolicies /path/to/MyPolicies.xml

For bonus points, here's a script which will apply the policy to a particular user group (eg. staff in my case).
#!/bin/bash
diradminuser=
diradminpw=
group=
pwpolicy=/usr/bin/pwpolicy
policyxml=/path/to/MyPolicy.xml

USERS=$(dscl /LDAPv3/127.0.0.1 -read /Groups/"$group" Member | tr " " "\n" | grep -v "Member:" | sort)

for USER in $USERS;do
  echo setting policy for user: $USER
  echo $pwpolicy -a $diradminuser -p $diradminpw -u $USER -setaccountpolicies "$policyxml"

done

Good luck :)

No comments:

Post a Comment