ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

 

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).



pwpolicy(8)               BSD System Manager's Manual              pwpolicy(8)

NAME
     pwpolicy -- gets and sets password policies

SYNOPSIS
     pwpolicy [-h]
     pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command
              command-arg
     pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command
              "policy1=value1 policy2=value2 ..."


DESCRIPTION
     pwpolicy manipulates password policies.

   Options
     -a    name of the authenticator

     -c    name of the computer account to modify

     -p    password (omit this option for a secure prompt)

     -u    name of the user account to modify

     -n    use a specific directory node; the search node is used by default.

     -v    verbose

     -h    help

   Commands
     -getglobalpolicy             Get global policies
     -setglobalpolicy             Set global policies
     -getpolicy                   Get policies for a user
     --get-effective-policy       Gets the combination of global and user policies that apply to the user.
     -setpolicy                   Set policies for a user
     -setpolicyglobal             Set a user account to use global policies
     -setpassword                 Set a new password for a user. Non-administrators can use this command to
                                  change their own passwords.
     -enableuser                  Enable a shadowhash user account that was disabled by a password policy
                                  event.
     -getglobalhashtypes          Returns the default list of password hashes stored on disk for this sys-tem. system.
                                  tem.
     -setglobalhashtypes          Edits the default list of password hashes stored on disk for this system.
     -gethashtypes                Returns a list of password hashes stored on disk for a user account.
     -sethashtypes                Edits the list of password hashes stored on disk for a user account.
     -0 through -7                Shortcuts for the above commands (in order).

   Global Policies
     usingHistory                      0 = user can reuse the current password, 1 = user cannot reuse the
                                       current password, 2-15 = user cannot reuse the last n passwords.
     usingExpirationDate               If 1, user is required to change password on the date in expira-tionDateGMT expirationDateGMT
                                       tionDateGMT
     usingHardExpirationDate           If 1, user's account is disabled on the date in hardExpireDateGMT
     requiresAlpha                     If 1, user's password is required to have a character in [A-Z][a-z].
     requiresNumeric                   If 1, user's password is required to have a character in [0-9].
     expirationDateGMT                 Date for the password to expire, format must be: mm/dd/yy
     hardExpireDateGMT                 Date for the user's account to be disabled, format must be: mm/dd/yy
     maxMinutesUntilChangePassword     user is required to change the password at this interval
     maxMinutesUntilDisabled           user's account is disabled after this interval
     maxMinutesOfNonUse                user's account is disabled if it is not accessed by this interval
     maxFailedLoginAttempts            user's account is disabled if the failed login count exceeds this
                                       number
     minChars                          passwords must contain at least minChars
     maxChars                          passwords are limited to maxChars

   Additional User Policies
     isDisabled                   If 1, user account is not allowed to authenticate, ever.
     isAdminUser                  If 1, this user can administer accounts on the password server.
     newPasswordRequired          If 1, the user will be prompted for a new password at the next authentica-tion. authentication.
                                  tion. Applications that do not support change password will not authenti-cate. authenticate.
                                  cate.
     canModifyPasswordforSelf     If 1, the user can change the password.

   Stored Hash Types
     CRAM-MD5         Required for IMAP.
     RECOVERABLE      Required for APOP and WebDAV. Only available on Mac OS X Server edition.
     SALTED-SHA1      The default for login window.
     SMB-LAN-MANAGER  Required for compatibility with Windows 9.x file sharing.
     SMB-NT           Required for compatibility with Windows NT/XP file sharing.


EXAMPLES
     To get global policies:

           pwpolicy -getglobalpolicy

     To set global policies:

           pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailedLoginAttempts=3"

     To get policies for a specific user account:

           pwpolicy -u user -getpolicy
           pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy

     To set policies for a specific user account:

           pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailedLoginAttempts=3"

     To change the password for a user:

           pwpolicy -a authenticator -u user -setpassword newpassword

     To set the list of hash types for local accounts:

           pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off SMB-NT on


SEE ALSO
     PasswordService(8)

Mac OS X Server                13 November 2002                Mac OS X Server

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.