For all OS X accounts

pwpolicy doesnt work for local accounts on OS X client. BUT You can use the dscl command to directly edit these authentication settings. This method is guaranteed to work for user-level OS X accounts (Guest, admin and other regular accounts which you would see listed on the login window). With this approach it doesn't matter whether the account is managed with OS-X Server / LDAP account. This method also works for all OSX System Accounts (which you would otherwise disable their login shells).

Here's how:

# Read the AuthenticationAuthority key
dscl . -read /Users/username AuthenticationAuthority

AuthenticationAuthority: ;Kerberosv5;; \
username@LKDC:SHA1.41BE28E3B64EB62A42D0673968B9591DE18210F5; \
LKDC:SHA1.07264456235E49D45C4B99FC9549FC366CE32343; ; \
ShadowHash;HASHLIST:<SALTED-SHA1>

Disable

If not already disabled, then append DisabledUser to this key's value. With a semicolon for the field seperator. Excess / empty ; ; fields are ignored.

dscl . -append /Users/username AuthenticationAuthority ";DisabledUser;"

Check

To check an account's enabled / disabled status:

dscl . -read /Users/username AuthenticationAuthority | grep DisabledUser

For OSX System accounts: These accounts don't have an AuthenticationAuthority key to begin with. Therefore to check their enabled / disabled status is determined by whether the UserShell attribute has a valid login shell. So check the shell when AuthenticationAuthority doesn't exist.

Enable

To re-enable the user account we just remove DisabledUser sub-string from the AuthenticationAuthority entry. We use then use the dscl . -create cmd and write-back the whole thing.

dscl . -read /Users/username AuthenticationAuthority | \
sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | \
xargs dscl . -create /Users/username AuthenticationAuthority

Get the AuthenticationAuthority credentials for all users:

dscl . -list /Users AuthenticationAuthority

System accounts: Just remember that a system account must also have a valid login shell.