Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Disabling user accounts in OS X

On May 3, 2005, at 2:34 PM, Townsend, Trent W ERDC-ITL-MS wrote:

Does anyone know how to set the password in the NI database to a value that will effectively disable the account?  I've ready many articles online and in OS X books, and everything that is suggested does not work for me.  Per DoD regulations, we are not allowed to have static account passwords on our systems (except the 1 admin user.)  Thus we need to disable username/password access and configure CACs to allow access to that account.  I would set the allowPasswordLogon value to 0, but then our admin account is of no value if something goes wrong in that case.  If anyone has gotten this to work, please let me know how you accomplished it.  Thanks.
 
Trent
 
Trent Townsend
ERDC Major Shared Resource Center
601.634.4051

Trent,

As noted on pg. 47/48 of the jointly developed "Security Configuration Guide" from NSA's SNAC Team which can be downloaded from [ http://www.nsa.gov/snac/ ], you will see:

(this is in reference to the root account, just use the account of interest in your case)

1.  Log into an administrator account and start the NetInfo Manager 
        application found in /Applications/Utilities. 
2. Click on the users item located in the second column at the top of the NetInfo 
        Manager panel.  This will open the list of users in the third column.  
3. Click on the root item in the users column.  The root user’s properties and 
        any associated values will appear in the bottom panel of the window (Figure  19).   
4. Click on the lock in the lower left corner of the NetInfo Manager window.  
        Type an administrator's short name and password into the authentication 
        dialog that appears and click the OK button.  
5. If the property authentication_authority is listed in the bottom list in the 
        window, click on it to highlight that property.  
6. Go to the top of the NetInfo Manager window and click the Delete icon to 
        remove that property and value.  
7. Double click on the value associated with the passwd property located in that 
    bottom property list, and the value should become highlighted for editing. 
    This value will be a single asterisk if the root password has never been set, and 
    either a string of asterisks or a password hash if a password has been set for 
    root.  (Which of these appear as the value for passwd depends upon how the 
    root account was enabled.) 
8. Type a single asterisk (“*”), replacing the current value of the passwd 
    property. 
9. Click the lock icon in the lower left corner of the NetInfo Manager window to 
    re-lock the window.  
10. When the Confirm Modification dialog box appears, select Update this 
    copy.  
11. Quit the NetInfo Manager application. Root login is now disabled. 


If you are needing more information regarding Smart Card use, that has been provided on this list a few time and the updated Setup & Configuration Guide for Mac OS X 10.4 will be coming out.  If you need more info now, let me know.


-Shawn

___________________________________________

Shawn Geddis                 

Security Consulting Engineer

Apple Computer - US Federal Government


Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden
References: 
 >[Fed-Talk] Disabling user accounts in OS X (From: "Townsend, Trent W ERDC-ITL-MS" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.