How to disable a User Account from the CLI with Mac OS X Server Yosemite with pwpolicy deprecated

mac-osx-serveropendirectoryosx-yosemite

Prior to Mac OS X Yosemite, admins were able to disable a Open Directory user by taking advantage of the pwpolicy command below:

pwpolicy -a diradmin -p password -u username -disableuser

pwpolicy -a diradmin -p password -u username -setpolicy 'isdisabled=1'

However, since updating to Yosemite, users are not actually disabled with these settings and they are deprecated in the MAN pages. Terminal will process them like they are successful, but the Server Admin GUI will still show the users as active, and they will still be able to access shared files.

According to the pwpolicy man page "Account Policies" are the replacement for the various deprecated pwpolicy commands as seen at http://www.manpagez.com/man/8/pwpolicy/. I'm having a bit of difficulty deciphering the format though. I simply need to disable a user, and I'm not finding the correct keyword setup.

Does anyone have any experience or suggestions?

Thanks!

Best Answer

In El Capitan, you can use this:

pwpolicy -u target -disableuser

To reverse

pwpolicy -u target -enableuser

Related Solutions

What commands will change Open Directory passwords

The handiest answer I've come across is to use the passwd command in conjunction with dscl. Here is the output from an interactive session (with the passwords replaced by asterices):

$ dscl -u diradmin -p ces 
Password: 
 > cd /LDAPv3/127.0.0.1/
/LDAPv3/127.0.0.1 > auth diradmin *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo807 *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo249 *****
/LDAPv3/127.0.0.1 > passwd Users/doesnotexist foobar
passwd: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
/LDAPv3/127.0.0.1 > exit
Goodbye

Here is a python script to make the changes. You will need the pexpect module (sudo easy_install pexpect should get it for you; I don't think you need the dev tools installed).

#!/usr/bin/env python

import pexpect

def ChangePasswords(host, path, diradmin, diradmin_password, user_passwords, record_type='Users'):
    """Changes passwords in a Open Directory or similar directory service.

    host = the dns name or IP of the computer hosting the directory
    path = the pathname to the directory (ex. '/LDAPv3/127.0.0.1')
    diradmin = the directory administrator's shortname (ex. 'diradmin')
    diradmin_password = the directory administrator's password
    user_passwords = a dictionary mapping record names (typically, user's short
                     names) onto their new password
    record_type = the sort of records you are updating.  Typically 'Users'

    Returns a tuple.  The first entry is a list of all records (users) who
        failed to update.  The second entry is a list of all records (users)
        who successfully updated.
    """

    failed_list = []
    succeeded_list = []
    prompt = " > "

    child = pexpect.spawn("dscl -u %s -p %s" % (diradmin, host))

    if not (ReplyOnGoodResult(child, "Password:", diradmin_password) and
       ReplyOnGoodResult(child, prompt, "cd %s" % path) and
       ReplyOnGoodResult(child, prompt,
                        "auth %s %s"  % (diradmin, diradmin_password)) and
       ReplyOnGoodResult(child, prompt, None)):
        print "Failed to log in and authenticate"
        failed_list = user_passwords.keys()
        return (failed_list, succeeded_list)

    # We are now logged in, and have a prompt waiting for us
    expected_list = [ pexpect.EOF, pexpect.TIMEOUT,
                     '(?i)error', 'Invalid Path', prompt ]
    desired_index = len(expected_list) - 1
    for record_name in user_passwords:        
        #print "Updating password for %s" % record_name,

        child.sendline("passwd %s/%s %s" % (record_type, record_name,
                                            user_passwords[record_name]))
        if child.expect(expected_list) == desired_index:
            #print ": Succeeded"
            succeeded_list.append(record_name)
        else:
            #print ": Failed"
            failed_list.append(record_name)
            child.expect(prompt)

    child.sendline("exit")
    child.expect(pexpect.EOF)

    return (failed_list, succeeded_list)


def ReplyOnGoodResult(child, desired, reply):
    """Helps analyze the results as we try to set passwords.

    child = a pexpect child process
    desired = The value we hope to see 
    reply = text to send if we get the desired result (or None for no reply)
    If we do get the desired result, we send the reply and return true.
    If not, we return false."""

    expectations = [ pexpect.EOF, pexpect.TIMEOUT, '(?i)error', desired ]
    desired_index = len(expectations) - 1

    index = child.expect(expectations)
    if index == desired_index:
        if reply:
            child.sendline(reply)
        return True
    else:
        return False

You can use it as follows:

# This example assumes that you have named the script given above 'pwchange.py'
# and that it is in the current working directory
import pwchange 

(failed, succeeded) = pwchange.ChangePasswords("ces", "/LDAPv3/127.0.0.1", 
     "diradmin", "******", 
     { 'Atwo807' : '*****', 'Atwo249' : '*****', 
       'Nonexist' : 'foobar', 'Bad' : 'bad' })

print failed, succeeded
['Bad', 'Nonexist'] ['Atwo249', 'Atwo807']

How to disable a User Account from the CLI with Mac OS X Server

For all OS X accounts

pwpolicy doesnt work for local accounts on OS X client. BUT You can use the dscl command to directly edit these authentication settings. This method is guaranteed to work for user-level OS X accounts (Guest, admin and other regular accounts which you would see listed on the login window). With this approach it doesn't matter whether the account is managed with OS-X Server / LDAP account. This method also works for all OSX System Accounts (which you would otherwise disable their login shells).

Here's how:

# Read the AuthenticationAuthority key
dscl . -read /Users/username AuthenticationAuthority

AuthenticationAuthority: ;Kerberosv5;; \
username@LKDC:SHA1.41BE28E3B64EB62A42D0673968B9591DE18210F5; \
LKDC:SHA1.07264456235E49D45C4B99FC9549FC366CE32343; ; \
ShadowHash;HASHLIST:<SALTED-SHA1>

Disable

If not already disabled, then append DisabledUser to this key's value. With a semicolon for the field seperator. Excess / empty ; ; fields are ignored.

dscl . -append /Users/username AuthenticationAuthority ";DisabledUser;"

Check

To check an account's enabled / disabled status:

dscl . -read /Users/username AuthenticationAuthority | grep DisabledUser

For OSX System accounts: These accounts don't have an AuthenticationAuthority key to begin with. Therefore to check their enabled / disabled status is determined by whether the UserShell attribute has a valid login shell. So check the shell when AuthenticationAuthority doesn't exist.

Enable

To re-enable the user account we just remove DisabledUser sub-string from the AuthenticationAuthority entry. We use then use the dscl . -create cmd and write-back the whole thing.

dscl . -read /Users/username AuthenticationAuthority | \
sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | \
xargs dscl . -create /Users/username AuthenticationAuthority

Get the AuthenticationAuthority credentials for all users:

dscl . -list /Users AuthenticationAuthority

System accounts: Just remember that a system account must also have a valid login shell.