Is there any possible solution to disable a User from the CLI e.g. over SSH?
There has to be a dscl command for that. Or is there a dsAttrTypeStandard attribute that I can set accordingly?
Any pointers ?
mac-osxmac-osx-serveropendirectory
Is there any possible solution to disable a User from the CLI e.g. over SSH?
There has to be a dscl command for that. Or is there a dsAttrTypeStandard attribute that I can set accordingly?
Any pointers ?
Best Answer
For all OS X accounts
pwpolicy
doesnt work for local accounts on OS X client. BUT You can use the dscl command to directly edit these authentication settings. This method is guaranteed to work for user-level OS X accounts (Guest, admin and other regular accounts which you would see listed on the login window). With this approach it doesn't matter whether the account is managed with OS-X Server / LDAP account. This method also works for all OSX System Accounts (which you would otherwise disable their login shells).Here's how:
Disable
If not already disabled, then append
DisabledUser
to this key's value. With a semicolon for the field seperator. Excess / empty; ;
fields are ignored.Check
To check an account's enabled / disabled status:
For OSX System accounts: These accounts don't have an
AuthenticationAuthority
key to begin with. Therefore to check their enabled / disabled status is determined by whether theUserShell
attribute has a valid login shell. So check the shell whenAuthenticationAuthority
doesn't exist.Enable
To re-enable the user account we just remove
DisabledUser
sub-string from the AuthenticationAuthority entry. We use then use thedscl . -create
cmd and write-back the whole thing.Get the AuthenticationAuthority credentials for all users:
System accounts: Just remember that a system account must also have a valid login shell.