I have a password policy Configuration profile set on our machines that only use Local Accounts. What I am wondering after someone puts in the wrong password over 6 times it disables the user. How does that work? Do they get put in a disabled users group that i can see with Directory Utility on the mac? or what? And how do I unlock them? The only way I found out how to unlock them so far is to use JAMF to change the password, which doesn't always work.
Thanks
Shawn
Any thoughts guys?
We're also using local password policy, but using pwpolicy instead of config profiles. Everything I have found points to a bug in the pwpolicy mechanism to automatically unlock accounts after a period of time once they've been locked out. The quick and dirty way we do this is to issue a policy to clear the local password policy. This will unlock the account.
The policy "execute command" we're using is:
pwpolicy -clearaccountpoliciesAfter the user has been able to log back in, we re-run the policy with a script that enforces the password policy. This may or may not work for you, since you're using profiles, but it's how we do it.
Hi Shawn, there is a lock out option on the MDM profile in which you can specify a timeout period if the password for the account gets put in, incorrectly x number of times. However i do not believe there is an option in MDM to lock the account out.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.