pwpolicy(8) System Manager's Manual pwpolicy(8)

pwpolicygets and sets password policies

pwpolicy [-h]

pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command command-arg

pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command "policy1=value1 policy2=value2 ..."

pwpolicy manipulates password policies.

name of the authenticator
name of the computer account to modify
password (omit this option for a secure prompt)
name of the user account to modify
use a specific directory node; the search node is used by default.
verbose
help

Get global policies. DEPRECATED.
Set global policies. DEPRECATED.
Get policies for a user. DEPRECATED.
Gets the combination of global and user policies that apply to the user. DEPRECATED.
Set policies for a user. DEPRECATED.
Set a new password for a user. Non-administrators can use this command to change their own passwords.
Enable a user account that was disabled by a password policy event.
Disable a user account.
Returns the default list of password hashes stored on disk for this system.
Edits the default list of password hashes stored on disk for this system.
Returns a list of password hashes stored on disk for a user account.
Edits the list of password hashes stored on disk for a user account.
Sets (replaces) the account polices for the specified user. If no user is specified, sets the global account policies. Takes one argument: the name of the file containing the policies.
Gets the account policies for the specified user. If no user is specified, gets the global account policies.
Removes all of the account policies for the specified user. If no user is specified, removes the global account policies.
Determines if the policies allow the user to authenticate

Account policies are the replacement for the deprecated legacy global and user policies. Account policies are specified as a dictionary containing three keys, one key for each policy category. Note that the dictionary is not required to contain all of the policy categories. Valid keys for the policy categories are:

policyCategoryAuthentication
Controls when a user may login/authenticate.
policyCategoryPasswordChange
Determines if/when a user is required to change their password
policyCategoryPasswordContent
Controls the set of allowable characters in a password.

Each policy category contains an array of individual policy dictionaries. Valid keys in the policy dictionary are:

policyIdentifier
A user-defined unique identifier for the policy.
policyParameters
An optional key that contains a dictionary of parameters to be used in the policy or used for display purposes.
policyContent
The actual policy string, from which an NSPredicate can be created. Any valid NSPredicate keyword may be used, as well as certain parameters from the user's record and the policy's parameters dictionary.

Below is an example account policy dictionary. Not all policy categories need be present in the dictionary.

<dict>
    <key>policyCategoryPasswordAuthentication</key>
    <array>
        <dict>
            <key>policyContent</key>
            <string>policyAttributeMaximumFailedAuthentications &lt; policyAttributeFailedAuthentications</string>
            <key>policyIdentifier</key>
            <string>failed auths</string>
        </dict>
    </array>
    <key>policyCategoryPasswordChange</key>
    <array>
        <dict>
            <key>policyContent</key>
            <string>policyAttributeCurrentTime &gt; policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * DAYS_TO_SECONDS</string>
            <key>policyIdentifier</key>
            <string>Change every 30 days</string>
            <key>policyParameters</key>
                <dict>
                <key>policyAttributeExpiresEveryNDays<key>
                <integer>30</integer>
       </dict>
    </array>
    <key>policyCategoryPasswordContent</key>
    <array>
        <dict>
            <key>policyContent</key>
            <string>policyAttributePassword matches '.{3,}+'</string>
            <key>policyIdentifier</key>
            <string>com.apple.policy.legacy.minChars</string>
            <key>policyParameters</key>
            <dict>
                <key>minimumLength</key>
                <integer>3</integer>
            </dict>
        </dict>
    </array>
</dict>

The following keywords may be used in the policy content. The values from the user's record will be substitued for the keyword when the policy is evaluated. User-defined keywords may also be used, as long the keyword is present in the policy's parameters dictionary.

policyAttributePassword
User's new password.
policyAttributePasswordHashes
Hashes of the new password. Compared against the history.
policyAttributePasswordHistory
User's password history.
policyAttributePasswordHistoryDepth
How much password history to keep.
policyAttributeCurrentDate
Current date and time as an NSDate. Use for comparing localized NSDates.
policyAttributeCurrentTime
Current date and time in seconds. Used for date/time calculations, i.e. date + interval.
policyAttributeCurrentDayOfWeek
Current day of the week (integer).
policyAttributeCurrentTimeOfDay
Current time of day (0000 to 2359).
policyAttributeFailedAuthentications
Number of consecutive failed authentication attempts.
policyAttributeMaximumFailedAuthentications
Maximum allowed consecutive failed authentication attempts.
policyAttributeLastFailedAuthenticationTime
Time of the last failed authentication.
policyAttributeLastAuthenticationTime
Time of the last successful authentication.
policyAttributeLastPasswordChangeTime
Time of the last password change.
policyAttributeNewPasswordRequiredTime
Time when a new password is required.
policyAttributeCreationTime
Time when the account was created.
policyAttributeConsecutiveCharacters
Number of consecutive (i.e. run of the same) characters in a password.
policyAttributeMaximumConsecutiveCharacters
Maximum number of consectuive characters allowed in a password.
policyAttributeSequentialCharacters
Number of sequention (ascending or descending) characters in a password.
policyAttributeMaximumSequentialCharacters
Maximum allowed nmber of sequention (ascending or descending) characters in a password.
policyAttributeExpiresEveryNDays
Expires every n number of days.
policyAttributeDaysUntilExpiration
Synonym for the above.
policyAttributeEnableOnDate
Date on which the account is enabled (localized NSDate).
policyAttributeExpiresOnDate
Date on which the account will expire (localized NSdate).
policyAttributeEnableOnDayOfWeek
Day of week on which the account is enabled (integer).
policyAttributeExpiresOnDayOfWeek
Day of week on which the account will expire (integer).
policyAttributeEnableAtTimeOfDay
Time of day at which the account is enabled (integer, 0000-2359).
policyAttributeExpiresAtTimeOfDay
Time of day at which the account will expire (integer, 0000-2359).

0 = user can reuse the current password, 1 = user cannot reuse the current password, 2-15 = user cannot reuse the last n passwords.
If 1, user is required to change password on the date in expirationDateGMT
If 1, user's account is disabled on the date in hardExpireDateGMT
If 1, user's password is required to have a character in [A-Z][a-z].
If 1, user's password is required to have a character in [0-9].
Date for the password to expire, format must be: mm/dd/yy
Date for the user's account to be disabled, format must be: mm/dd/yy
Date for the user's account to be enabled, format must be: mm/dd/yy
user is required to change the password at this interval
user's account is disabled after this interval
user's account is disabled if it is not accessed by this interval
user's account is disabled if the failed login count exceeds this number
passwords must contain at least minChars
passwords are limited to maxChars

If 1, user account is not allowed to authenticate, ever.
If 1, this user can administer accounts on the password server.
If 1, the user will be prompted for a new password at the next authentication. Applications that do not support change password will not authenticate.
If 1, the user can change the password.

Required for IMAP.
Required for APOP and WebDAV. Only available on Mac OS X Server edition.
The default for loginwindow.
Legacy hash for loginwindow.
Required for compatibility with Windows NT/XP file sharing.
Legacy hash for loginwindow.
Legacy hash for loginwindow.

To get global policies:

To set global policies:

To get policies for a specific user account:

To set policies for a specific user account:

To change the password for a user:

To set the list of hash types for local accounts:

PasswordService(8)

13 November 2002 Mac OS X