Posted on 10-05-2015 07:52 AM
I'm wondering if there is a way to either specifically block the "Change Password" button under Users & Groups in System Preferences.
Or, to use a configuration profile to disable that Sys Pref pane for all users except the Admin account?
Posted on 10-05-2015 07:56 AM
You can block the whole system preference using a restrictions profile and limit to domain users only (assuming all other users are AD users?).
I haven't found a way to get more granular than that.
You'll need to be careful with the restrictions profile as it blocks a load of other stuff (just in case).
Posted on 10-05-2015 08:02 AM
Can you expound on what the bigger picture is here? Are you trying to prevent users from changing their password, ever, or just trying to prevent them from changing it in that one location?
Are these AD/LDAP accounts or local only accounts? Your picture shows a local account, but I wasn't sure if the image was just for illustration purposes only.
Posted on 10-05-2015 08:04 AM
Trying to prevent users from changing their password. We manage all the passwords and occasionally have one see that they can change it which messes up their FileVault and Keychain generating more problems for us.
Posted on 10-05-2015 08:16 AM
So if you're to prevent any password changes, and these are local accounts only, you may want to look at the pwpolicy
binary. There's an option in it called canModifyPasswordforSelf
which I believe if you set to '0' will prevent any change of their password. I'm not sure if that would also prevent password changes from an admin account or with a root command, for example, via a Casper Suite policy. I haven't done any real testing with it, but I would experiment with that command to see if it helps.
Posted on 10-05-2015 08:27 AM
Interesting, I'm going to check this out. Thanks for the tip!
Posted on 10-05-2015 09:33 AM
Hmm. Actually looking at the man page for pwpolicy under Yosemite I see that a large number of items are marked as DEPRECATED, including that one. I'm not sure if that means it no longer works, or still works, but will stop working soon, maybe even in El Capitan. Worth at least looking at though. I wonder if there's another way to manage local accounts under 10.10 and up.
More info here: https://jamfnation.jamfsoftware.com/discussion.html?id=13338
Posted on 10-05-2015 10:19 AM
Dang! I actually just saw that, the command doesn't appear to work when testing either.
Posted on 10-05-2015 10:28 AM
Yeah, seems like it requires passing a dictionary formatted file now to set any options, but its not even clear if that old option is still viable at all. In typical Apple fashion, they just decide to pull support of a feature or features and then provide woefully inadequate documentation on how to proceed to enable them, or even if any of the original options are still possible in the OS now.
There are blog posts by people out there smarter than I basically saying their head hurts from trying to make sense of the man page for pwpolicy as of 10.10.
Oh well. You'll probably just have to block the Users & Groups preference pane in whole, which is a pretty poor solution to the issue, since it blocks them from managing their own login items as well.
Posted on 10-05-2015 11:04 AM
I've been able to still do some of the basic pwpolicy
commands on Yosemite using the deprecated methods, like expiration, history, complexity, etc. I haven't tried the canModifyPasswordforSelf option though.