Manual Pages for UNIX Darwin command on man pwpolicy

pwpolicy(8) BSD System Manager's Manual pwpolicy(8)

NAME

ppwwppoolliiccyy - gets and sets password policies

SYNOPSIS

ppwwppoolliiccyy [-hh]

ppwwppoolliiccyy [-vv] [-aa authenticator] [-pp password]

[-uu username | -cc computername] [-nn nodename] command command-

arg

ppwwppoolliiccyy [-vv] [-aa authenticator] [-pp password]

[-uu username | -cc computername] [-nn nodename] command "pol-

icy1=value1 policy2=value2 ..."

DESCRIPTION

ppwwppoolliiccyy manipulates password policies. Options

-aa name of the authenticator

-cc name of the computer account to modify

-pp password (omit this option for a secure prompt)

-uu name of the user account to modify

-nn use a specific directory node; the search node is used by default.

-vv verbose

-hh help

CCoommmmaannddss

-ggeettgglloobbaallppoolliiccyy Get global policies

-sseettgglloobbaallppoolliiccyy Set global policies

-ggeettppoolliiccyy Get policies for a user

--ggeett-eeffffeeccttiivvee-ppoolliiccyy Gets the combination of global and user

policies that apply to the user.

-sseettppoolliiccyy Set policies for a user

-sseettppoolliiccyygglloobbaall Set a user account to use global policies

-sseettppaasssswwoorrdd Set a new password for a user. Non-adminis-

trators can use this command to change their own passwords.

-eennaabblleeuusseerr Enable a sshhaaddoowwhhaasshh user account that was

disabled by a password policy event.

-ggeettgglloobbaallhhaasshhttyyppeess Returns the default list of password hashes

stored on disk for this system.

-sseettgglloobbaallhhaasshhttyyppeess Edits the default list of password hashes

stored on disk for this system.

-ggeetthhaasshhttyyppeess Returns a list of password hashes stored on

disk for a user account.

-sseetthhaasshhttyyppeess Edits the list of password hashes stored on

disk for a user account.

-00 through -77 Shortcuts for the above commands (in order).

GGlloobbaall PPoolliicciieess

usingHistory 0 = user can reuse the current pass-

word, 1 = user cannot reuse the current

password, 2-15 = user cannot reuse the

last n passwords.

usingExpirationDate If 1, user is required to change pass-

word on the date in expirationDateGMT usingHardExpirationDate If 1, user's account is disabled on the date in hardExpireDateGMT requiresAlpha If 1, user's password is required to

have a character in [A-Z][a-z].

requiresNumeric If 1, user's password is required to

have a character in [0-9].

expirationDateGMT Date for the password to expire, format must be: mm/dd/yy

hardExpireDateGMT Date for the user's account to be dis-

abled, format must be: mm/dd/yy maxMinutesUntilChangePassword user is required to change the password at this interval maxMinutesUntilDisabled user's account is disabled after this interval maxMinutesOfNonUse user's account is disabled if it is not accessed by this interval maxFailedLoginAttempts user's account is disabled if the failed login count exceeds this number

minChars passwords must contain at least min-

Chars maxChars passwords are limited to maxChars AAddddiittiioonnaall UUsseerr PPoolliicciieess

isDisabled If 1, user account is not allowed to authen-

ticate, ever. isAdminUser If 1, this user can administer accounts on the password server. newPasswordRequired If 1, the user will be prompted for a new

password at the next authentication. Appli-

cations that do not support change password will not authenticate. canModifyPasswordforSelf If 1, the user can change the password. SSttoorreedd HHaasshh TTyyppeess

CRAM-MD5 Required for IMAP.

RECOVERABLE Required for APOP and WebDAV. Only available on Mac OS X Server edition.

SALTED-SHA1 The default for login window.

SMB-LAN-MANAGER Required for compatibility with Windows 9.x file shar-

ing.

SMB-NT Required for compatibility with Windows NT/XP file shar-

ing. EEXXAAMMPPLLEESS To get global policies:

ppwwppoolliiccyy -getglobalpolicy

To set global policies:

ppwwppoolliiccyy -a authenticator -setglobalpolicy "minChars=4 maxFailed-

LoginAttempts=3" To get policies for a specific user account:

ppwwppoolliiccyy -u user -getpolicy

ppwwppoolliiccyy -u user -n /NetInfo/DefaultLocalNode -getpolicy

To set policies for a specific user account:

ppwwppoolliiccyy -a authenticator -u user -setpolicy "minChars=4 maxFailed-

LoginAttempts=3" To change the password for a user:

ppwwppoolliiccyy -a authenticator -u user -setpassword newpassword

To set the list of hash types for local accounts:

ppwwppoolliiccyy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off

SMB-NT on