manpagez: man pages & more
man pwpolicy(8)
Home | html | info | man

pwpolicy(8)               BSD System Manager's Manual              pwpolicy(8)


NAME

     pwpolicy -- gets and sets password policies


SYNOPSIS

     pwpolicy [-h]
     pwpolicy [-v] [-a authenticator] [-p password]
              [-u username | -c computername] [-n nodename] command command-
              arg
     pwpolicy [-v] [-a authenticator] [-p password]
              [-u username | -c computername] [-n nodename] command "pol-
              icy1=value1 policy2=value2 ..."



DESCRIPTION

     pwpolicy manipulates password policies.

   Options
     -a    name of the authenticator

     -c    name of the computer account to modify

     -p    password (omit this option for a secure prompt)

     -u    name of the user account to modify

     -n    use a specific directory node; the search node is used by default.

     -v    verbose

     -h    help

   Commands
     -getglobalpolicy             Get global policies
     -setglobalpolicy             Set global policies
     -getpolicy                   Get policies for a user
     --get-effective-policy       Gets the combination of global and user
                                  policies that apply to the user.
     -setpolicy                   Set policies for a user
     -setpolicyglobal             Set a user account to use global policies
     -setpassword                 Set a new password for a user. Non-adminis-
                                  trators can use this command to change their
                                  own passwords.
     -enableuser                  Enable a user account that was disabled by a
                                  password policy event.
     -disableuser                 Disable a user account.
     -getglobalhashtypes          Returns the default list of password hashes
                                  stored on disk for this system.
     -setglobalhashtypes          Edits the default list of password hashes
                                  stored on disk for this system.
     -gethashtypes                Returns a list of password hashes stored on
                                  disk for a user account.
     -sethashtypes                Edits the list of password hashes stored on
                                  disk for a user account.
     -0 through -7                Shortcuts for the above commands (in order).

   Global Policies
     usingHistory                      0 = user can reuse the current pass-
                                       word, 1 = user cannot reuse the current
                                       password, 2-15 = user cannot reuse the
                                       last n passwords.
     usingExpirationDate               If 1, user is required to change pass-
                                       word on the date in expirationDateGMT
     usingHardExpirationDate           If 1, user's account is disabled on the
                                       date in hardExpireDateGMT
     requiresAlpha                     If 1, user's password is required to
                                       have a character in [A-Z][a-z].
     requiresNumeric                   If 1, user's password is required to
                                       have a character in [0-9].
     expirationDateGMT                 Date for the password to expire, format
                                       must be: mm/dd/yy
     hardExpireDateGMT                 Date for the user's account to be dis-
                                       abled, format must be: mm/dd/yy
     validAfter                        Date for the user's account to be
                                       enabled, format must be: mm/dd/yy
     maxMinutesUntilChangePassword     user is required to change the password
                                       at this interval
     maxMinutesUntilDisabled           user's account is disabled after this
                                       interval
     maxMinutesOfNonUse                user's account is disabled if it is not
                                       accessed by this interval
     maxFailedLoginAttempts            user's account is disabled if the
                                       failed login count exceeds this number
     minChars                          passwords must contain at least min-
                                       Chars
     maxChars                          passwords are limited to maxChars

   Additional User Policies
     isDisabled                   If 1, user account is not allowed to authen-
                                  ticate, ever.
     isAdminUser                  If 1, this user can administer accounts on
                                  the password server.
     newPasswordRequired          If 1, the user will be prompted for a new
                                  password at the next authentication. Appli-
                                  cations that do not support change password
                                  will not authenticate.
     canModifyPasswordforSelf     If 1, the user can change the password.

   Stored Hash Types
     CRAM-MD5              Required for IMAP.
     RECOVERABLE           Required for APOP and WebDAV. Only available on Mac
                           OS X Server edition.
     SALTED-SHA512-PBKDF2  The default for loginwindow.
     SALTED-SHA512         Legacy hash for loginwindow.
     SMB-NT                Required for compatibility with Windows NT/XP file
                           sharing.
     SALTED-SHA1           Legacy hash for loginwindow.
     SHA1                  Legacy hash for loginwindow.



EXAMPLES

     To get global policies:

           pwpolicy -getglobalpolicy

     To set global policies:

           pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailed-
           LoginAttempts=3"

     To get policies for a specific user account:

           pwpolicy -u user -getpolicy
           pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy

     To set policies for a specific user account:

           pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailed-
           LoginAttempts=3"

     To change the password for a user:

           pwpolicy -a authenticator -u user -setpassword newpassword

     To set the list of hash types for local accounts:

           pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off
           SMB-NT on



SEE ALSO

     PasswordService(8)

Mac OS X Server                13 November 2002                Mac OS X Server

Mac OS X 10.8 - Generated Mon Sep 3 15:32:58 CDT 2012
© manpagez.com 2000-2018
Individual documents may contain additional copyright information.