Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: force password change after a certain date

Pierre,

I don't know of a way to force password changes. I have not had 10.2 for long
enough to be 100% sure, but I am quite confident that older versions did not
allow this.

Here's an idea:

- you have to have a basic admin password - fine. Keep it secret. It will end
up on all machines but never mind.

- give your basic user account a password too - again, keep the initial
password a secret. Or even have it disabled - it doesn't matter

- create a "firstlogin" account. This account has no password (initially), so
the user can login just by entering the username

- make an applescript that does the following:
* prompts for a new password
* generates the password hash
* does "sudo niutil ....... " in a shell
* then does another sudo niutil to disable login for "firstlogin"

- add the appropriate commands to /etc/sudoers (from command line using
visudo) to allow "firstlogin" to enter these commands without being prompted
for a password (and include the command to do a restart)

eg
firstlogin ALL = NOPASSWD: niutil ....... , niutil .........,
/sbin/shutdown -r now

(hmmm... since the hashed password is going to be part of the command you
enter, and the complete command has to be put in sudoers, I am not quite sure
how easy this is going to be...)

- the last part of the applescript is to do a logout (or a restart - since
that's a nice easy one to do in a sudo)

Hopefully that should do the trick. I have not done this exact thing before,
but I do something very similar to allow restarting in OS9. I have an account
called "restart9" which executes an applescript that does a couple of sudo
commands and reboots.

I may be able to help more if you need it...

By the way, which apps don't work for you in 10.2? I am contemplating a move
to 10.2 for a couple of labs because of bugs in 10.1.5, but I haven't tested
absolutely everything yet... enquiring minds want to know!

Stephen Brandon
email@hidden
www.brandonitconsulting.co.uk

On Thursday 12 September 2002 19:28, you wrote:
> Hi all,
>
> we are currently in the process of building up a DVD image with MacOS X
> 10.1.5 together with all the important apps (we had to give up on 10.2
> because some of the key apps don't work properly yet and we don't have
> enough time to wait longer). We want to distribute this DVD-image on
> iBooks and PowerBooks of our students. So far our tests went well and
> we are confident that we can make it.
>
> BUT: With this method we will produce hundreds of equally configured
> laptops. Fine, except that they will all have the same computer name,
> the same administrative user and very unfortunately the same password.
>
> - The computer name can be changed with a script in /etc/hostconfig. OK
> - the name of the administrative user can be changed with a script in
> netinfo. OK
> - the password can be changed in the netinfo. Possible but not strong
> enough
>
> How can we force the user that he cannot use the initial password. When
> the student start the imaged machine for the first time we want to
> present him a dialog where he must change his password.
>
> Under Linux there is a change time for passwords. In "man 5 passwd" we
> found that under MacOS X this should also be possible. But what is the
> corect syntax and is it also written to Netinfo?
>
> Maybe someone can help?
>
> Regards,
> Pierre
_______________________________________________
maclabmanager mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/maclabmanager
Do not post admin requests to the list. They will be ignored.
References: 
 >force password change after a certain date (From: Pierre Suter <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.