macOS Server Account Lockout Policy Enforcement

In light of macOS Server removing the Account Lockout Policy Enforcement feature from the GUI, one can still apply this enforcement by way of terminal command on the Open Directory Server itself. For Example:
Set LDAP Account Policy Enforcement:

pwpolicy -a <<diradmin>> -p <<password>> -u <<username to unlock> -setpolicy "maxFailedLoginAttempts=1"

** This sets 5 password failed attempts along with 60days password reset

sudo pwpolicy -a diradmin -u edtester -setpolicy "maxMinutesUntilChangePassword=86400 maxFailedLoginAttempts=5"

Unlock account:

pwpolicy -a <<diradmin>> -p <<password>> -u <<username to unlock> -setpolicy "isDisabled=0"

Link to technical article: https://superuser.com/questions/577273/osx-server-ldap-pwpolicy-how-to-disable-a-account

Helpful links:
https://www.jamf.com/jamf-nation/discussions/14460/pwpolicy-at-single-user-mode

https://krypted.com/mac-security/programatically-setting-password-policies/

https://www.unix.com/man-page/osx/8/pwpolicy/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.