[Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
[Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- Subject: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- From: "Shawn A. Geddis" <email@hidden>
- Date: Sun, 25 Nov 2007 14:30:51 -0500
On Nov 19, 2007, at 10:50 AM, Michael wrote:
On Nov 16, 2007, at 12:29 PM, James Alcasid wrote:
By default their are no global policy defaults for passwords on
MacOSX
Client and Server.
For what you are trying to accomplish check the man pages on
pwpolicy.
What you are trying to accomplish might look something like this as
an
example:
sudo pwpolicy - a the_dmin_username -setglobalpolicy "minChars=8
maxMinutesUntilChangePassword=129600"
Has anyone figured out how to get this to work in OS X 10.5 without
having OS X Server. Server based password control is a no-go when
you have laptops and other machines not permanently connected to the
network. Every other OS handles this just fine.
Michael
Michael,
You do not need Mac OS X Server for this to work. The 'pwpolicy'
command was brought over from OS X Server to OS X to meet requirements
for Common Criteria Certification.
If you just issue the pwpolicy on Mac OS X without the nodename then
you will get the error that password server is not configured.
$ sudo pwpolicy -getglobalpolicy
password server is not configured.
Problem is that you need to provide the local nodename for the local
domain on the client.
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
To display the Global Policy Settings...
$ sudo pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0
usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0
expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69
maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0
maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0
passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0
newPasswordRequired=0 minutesUntilFailedLoginReset=0
notGuessablePattern=0
For example, Set the Global Policy Setting for 'minChars'
$ sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=5"
The instructions within the man page and the CC_AdminGuide are still
accurate **IF** you use the correct nodename to reflect which OS
version you are running on as I noted earlier in this message:
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden