Blocking "Change Password" in Sys Prefs

ts85
New Contributor III

I'm wondering if there is a way to either specifically block the "Change Password" button under Users & Groups in System Preferences.

f3d825efa7214155883b4f25b3627bb9

Or, to use a configuration profile to disable that Sys Pref pane for all users except the Admin account?

9 REPLIES 9

davidacland
Honored Contributor II

You can block the whole system preference using a restrictions profile and limit to domain users only (assuming all other users are AD users?).

I haven't found a way to get more granular than that.

You'll need to be careful with the restrictions profile as it blocks a load of other stuff (just in case).

mm2270
Legendary Contributor III

Can you expound on what the bigger picture is here? Are you trying to prevent users from changing their password, ever, or just trying to prevent them from changing it in that one location?
Are these AD/LDAP accounts or local only accounts? Your picture shows a local account, but I wasn't sure if the image was just for illustration purposes only.

ts85
New Contributor III

Trying to prevent users from changing their password. We manage all the passwords and occasionally have one see that they can change it which messes up their FileVault and Keychain generating more problems for us.

mm2270
Legendary Contributor III

So if you're to prevent any password changes, and these are local accounts only, you may want to look at the pwpolicy binary. There's an option in it called canModifyPasswordforSelf which I believe if you set to '0' will prevent any change of their password. I'm not sure if that would also prevent password changes from an admin account or with a root command, for example, via a Casper Suite policy. I haven't done any real testing with it, but I would experiment with that command to see if it helps.

ts85
New Contributor III

Interesting, I'm going to check this out. Thanks for the tip!

mm2270
Legendary Contributor III

Hmm. Actually looking at the man page for pwpolicy under Yosemite I see that a large number of items are marked as DEPRECATED, including that one. I'm not sure if that means it no longer works, or still works, but will stop working soon, maybe even in El Capitan. Worth at least looking at though. I wonder if there's another way to manage local accounts under 10.10 and up.

More info here: https://jamfnation.jamfsoftware.com/discussion.html?id=13338

ts85
New Contributor III

Dang! I actually just saw that, the command doesn't appear to work when testing either.

mm2270
Legendary Contributor III

Yeah, seems like it requires passing a dictionary formatted file now to set any options, but its not even clear if that old option is still viable at all. In typical Apple fashion, they just decide to pull support of a feature or features and then provide woefully inadequate documentation on how to proceed to enable them, or even if any of the original options are still possible in the OS now.
There are blog posts by people out there smarter than I basically saying their head hurts from trying to make sense of the man page for pwpolicy as of 10.10.

Oh well. You'll probably just have to block the Users & Groups preference pane in whole, which is a pretty poor solution to the issue, since it blocks them from managing their own login items as well.

jkuo
Contributor

I've been able to still do some of the basic pwpolicy commands on Yosemite using the deprecated methods, like expiration, history, complexity, etc. I haven't tried the canModifyPasswordforSelf option though.