I'm wondering if there is a way to either specifically block the "Change Password" button under Users & Groups in System Preferences.
Or, to use a configuration profile to disable that Sys Pref pane for all users except the Admin account?
You can block the whole system preference using a restrictions profile and limit to domain users only (assuming all other users are AD users?).
I haven't found a way to get more granular than that.
You'll need to be careful with the restrictions profile as it blocks a load of other stuff (just in case).
Can you expound on what the bigger picture is here? Are you trying to prevent users from changing their password, ever, or just trying to prevent them from changing it in that one location?
Are these AD/LDAP accounts or local only accounts? Your picture shows a local account, but I wasn't sure if the image was just for illustration purposes only.
Trying to prevent users from changing their password. We manage all the passwords and occasionally have one see that they can change it which messes up their FileVault and Keychain generating more problems for us.
So if you're to prevent any password changes, and these are local accounts only, you may want to look at the
pwpolicy binary. There's an option in it called
canModifyPasswordforSelf which I believe if you set to '0' will prevent any change of their password. I'm not sure if that would also prevent password changes from an admin account or with a root command, for example, via a Casper Suite policy. I haven't done any real testing with it, but I would experiment with that command to see if it helps.
Hmm. Actually looking at the man page for pwpolicy under Yosemite I see that a large number of items are marked as DEPRECATED, including that one. I'm not sure if that means it no longer works, or still works, but will stop working soon, maybe even in El Capitan. Worth at least looking at though. I wonder if there's another way to manage local accounts under 10.10 and up.
More info here: https://jamfnation.jamfsoftware.com/discussion.html?id=13338
Yeah, seems like it requires passing a dictionary formatted file now to set any options, but its not even clear if that old option is still viable at all. In typical Apple fashion, they just decide to pull support of a feature or features and then provide woefully inadequate documentation on how to proceed to enable them, or even if any of the original options are still possible in the OS now.
There are blog posts by people out there smarter than I basically saying their head hurts from trying to make sense of the man page for pwpolicy as of 10.10.
Oh well. You'll probably just have to block the Users & Groups preference pane in whole, which is a pretty poor solution to the issue, since it blocks them from managing their own login items as well.
I've been able to still do some of the basic
pwpolicy commands on Yosemite using the deprecated methods, like expiration, history, complexity, etc. I haven't tried the canModifyPasswordforSelf option though.