Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- Subject: Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- From: Joel Rennich <email@hidden>
- Date: Tue, 14 Jun 2005 16:40:53 -0500
Starting around 10.3.6 pwpolicy was about 90% functional on OS X
client without an OS X Server. The missing options were:
isDisabled - which can be done in other ways as described in much of
the security documentation around
isAdminUser - this refers to being a password server admin, so is
irrelevant without a password server
newPasswordRequired - this would force an immediate change, and would
certainly be useful to have
canModifyPasswordforSelf - a flag which would disallow the user from
changing their own password. Which is a policy violation in many cases.
more info on pwpolicy, specifically on OS X client at http://
www.afp548.com/article.php?story=20040926173146494
From what I have seen, all policies work locally on OSX client in
Tiger. But I can't say that I've exhaustively looked at them.
Joel Rennich
Consulting Engineer - Apple Enterprise Consulting Services
email@hidden - 217-721-3811
Changing the world, one server at a time.
On Jun 14, 2005, at 1:56 PM, Michael Kluskens wrote:
On Jun 14, 2005, at 2:21 PM, Dan O'Donnell wrote:
The man page for pwpolicy states that I can use a simple command with
specified arguments, along the lines of the following (for a
single user
account):
A pre-Tiger reference:
Subject: Re: [Fed-Talk] Common Criteria Tools
From: Shawn Geddis <email@hidden>
Date: Thu, 17 Feb 2005 14:45:59 -0500
The pwpolicy command has indeed been a Mac OS X Server only
command up until specific needs existed for password enforcement
on a local machine. As it exists *on the client side*, it does not
support every option listed in the man page. The Common Criteria
Admin Guide covers those options required for Certification.
I will be providing clarification on what all is supported as of
this release and what everyone can expect going forward. This
would be posted to this list and to the Federal Website.
One point I should make: we have ALWAYS had specific needs for
password enforcement on all desktop computers, that Apple was
unable to deliver password enforcement in OS X 10.0.0 through OS X
10.3.9 for non-centrally managed workstation is not good, all of
our other Unix workstations have that ability.
The question now is does pwpolicy work for OS X 10.4.1 for a non-
centrally managed desktop.
Side note on Spotlight: When I first typed "pwpolicy" into the OS
X Mail search box it only found the Jun 14 message, so then I went
to the archives and used the search there <http://
search.lists.apple.com/>. Upon finding this Feb. 17 message in the
archives I went to my OS X Mail box which contains both messages
and found this Feb. 17 message, now of course the OS X Mail search
can find the message, now that I found it. I have commonly found
that these fancy new search engines can't find most non-english
words without being primed for them first.
michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden