Mac Developer Library Developer
Search

 

This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.





pwpolicy(8)               BSD System Manager's Manual              pwpolicy(8)

NAME
     pwpolicy -- gets and sets password policies

SYNOPSIS
     pwpolicy [-h]
     pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command
              command-arg
     pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command
              "policy1=value1 policy2=value2 ..."


DESCRIPTION
     pwpolicy manipulates password policies.

   Options
     -a    name of the authenticator

     -c    name of the computer account to modify

     -p    password (omit this option for a secure prompt)

     -u    name of the user account to modify

     -n    use a specific directory node; the search node is used by default.

     -v    verbose

     -h    help

   Commands
     -getglobalpolicy             Get global policies
     -setglobalpolicy             Set global policies
     -getpolicy                   Get policies for a user
     --get-effective-policy       Gets the combination of global and user policies that apply to the user.
     -setpolicy                   Set policies for a user
     -setpolicyglobal             Set a user account to use global policies
     -setpassword                 Set a new password for a user. Non-administrators can use this command to
                                  change their own passwords.
     -enableuser                  Enable a user account that was disabled by a password policy event.
     -disableuser                 Disable a user account.
     -getglobalhashtypes          Returns the default list of password hashes stored on disk for this sys-tem. system.
                                  tem.
     -setglobalhashtypes          Edits the default list of password hashes stored on disk for this system.
     -gethashtypes                Returns a list of password hashes stored on disk for a user account.
     -sethashtypes                Edits the list of password hashes stored on disk for a user account.
     -0 through -7                Shortcuts for the above commands (in order).

   Global Policies
     usingHistory                      0 = user can reuse the current password, 1 = user cannot reuse the
                                       current password, 2-15 = user cannot reuse the last n passwords.
     usingExpirationDate               If 1, user is required to change password on the date in expira-tionDateGMT expirationDateGMT
                                       tionDateGMT
     usingHardExpirationDate           If 1, user's account is disabled on the date in hardExpireDateGMT
     requiresAlpha                     If 1, user's password is required to have a character in [A-Z][a-z].
     requiresNumeric                   If 1, user's password is required to have a character in [0-9].
     expirationDateGMT                 Date for the password to expire, format must be: mm/dd/yy
     hardExpireDateGMT                 Date for the user's account to be disabled, format must be: mm/dd/yy
     validAfter                        Date for the user's account to be enabled, format must be: mm/dd/yy
     maxMinutesUntilChangePassword     user is required to change the password at this interval
     maxMinutesUntilDisabled           user's account is disabled after this interval
     maxMinutesOfNonUse                user's account is disabled if it is not accessed by this interval
     maxFailedLoginAttempts            user's account is disabled if the failed login count exceeds this
                                       number
     minChars                          passwords must contain at least minChars
     maxChars                          passwords are limited to maxChars

   Additional User Policies
     isDisabled                   If 1, user account is not allowed to authenticate, ever.
     isAdminUser                  If 1, this user can administer accounts on the password server.
     newPasswordRequired          If 1, the user will be prompted for a new password at the next authentica-tion. authentication.
                                  tion. Applications that do not support change password will not authenti-cate. authenticate.
                                  cate.
     canModifyPasswordforSelf     If 1, the user can change the password.

   Stored Hash Types
     CRAM-MD5              Required for IMAP.
     RECOVERABLE           Required for APOP and WebDAV. Only available on Mac OS X Server edition.
     SALTED-SHA512-PBKDF2  The default for loginwindow.
     SALTED-SHA512         Legacy hash for loginwindow.
     SMB-NT                Required for compatibility with Windows NT/XP file sharing.
     SALTED-SHA1           Legacy hash for loginwindow.
     SHA1                  Legacy hash for loginwindow.


EXAMPLES
     To get global policies:

           pwpolicy -getglobalpolicy

     To set global policies:

           pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailedLoginAttempts=3"

     To get policies for a specific user account:

           pwpolicy -u user -getpolicy
           pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy

     To set policies for a specific user account:

           pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailedLoginAttempts=3"

     To change the password for a user:

           pwpolicy -a authenticator -u user -setpassword newpassword

     To set the list of hash types for local accounts:

           pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off SMB-NT on


SEE ALSO
     PasswordService(8)

Mac OS X Server                13 November 2002                Mac OS X Server

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.

Feedback