pwpolicy at single user mode

cmdGriggs
New Contributor II

Culprit for locking me out seems to be the legacy "minutesUntilFailedLoginReset" that seems to still be set-able with a configuration profile.

I got the dreaded "account has been disabled, contact your administrator"

The apple guidance was not helpful in telling me to load com.apple.opendirectoryd.plist. Turns out that is not the only LaunchDaemon that is required for pwpolicy to run.

But I have a fix. It is basically like run level 3 in linux.

# Get to single user mode then:

mount -uw / 
# mount read-write

cd /System/Library/LaunchDaemons
# It is important to cd into the LaunchDaemons directory

launchctl load $(ls | grep -iv "window")
# I know, I know, " thou shall not grep ls.. " but this will list all of the files 
# minus the GUI (loginWindow and window server) and load them

pwpolicy -clearaccountpolicies
# Clear out all the pwpolicies so you can start fresh

pwpolicy enableuser -u userName 
# Actually enable the users who were locked.

pwpolicy -getglobalpolicies 
# Just to check, should be a blank line


reboot
# **Don't** just hit CTL-D... you will anger the boot gods by doing this
# They will exact their revenge with graphics glitches and other strangeness
# A sacrificial reboot appeases them

Known working commands:
pwpolicy
dscl

Known NOT working (must be some other dependencies):
diskutil

I hope this saves someone else from needing to reimage.

4 REPLIES 4

merps
Contributor III

@cmdGriggs We're using a Casper policy to clear local pwpolicy when accounts get locked out.

I have it running at startup, and it prevents the need for single user mode.

In the Files and Processes section, execute command:

pwpolicy -clearaccountpolicies

I haven't seen the need to run the enableuser piece to get logged back in.

After adding my locked-out machine to the scope, I just reboot and all is well again.

Maybe this will save you some time if you keep getting locked out.

cmdGriggs
New Contributor II

Oh, yeah once I have the machine up and on the network it is no longer a problem. I have some clients with VERY locked down networks so getting the machine able to talk to the JSS again was a challenge.

The policy approach is the best course, the above was more of an 'oh crap' recovery

blained
New Contributor

I've been trying everything to fix my account issues. I'm pretty sure it has to do with a configuration profile that is setting the password policy. It's weird becaus I set the configuration profiles but didn't see the problem for a couple of days. All of sudden I can't login, reset passwords, nothing.

Do you have any idea why pwpolicy won't work for me in single-user mode? I keep getting an error: unable to open node </Local/Defaults> and I have no idea how to fix it. Following your steps above did not help.

cmdGriggs
New Contributor II

I am assuming you are running 10.10? I have only seen that error when a /System/Library/LaunchDaemon that OD wants has not been loaded yet.

I have a few questions:
Are you sure you typed the grep statement right?

How have you fixed it in the past?

Are you using anything that automatically puts in your password? Network drives, sudo helper app, etc?

Do you have any policies that are setting password policy the old fashioned way of the command line pwpolicy exec? Conflicting pwpolicies are the most common way to lock your account like this (that i've seen)

If I had to guess... something is auto trying your password and locking your account after a few days. Check ~/Library/launch(Daemons|Agents) /Library/launch(Daemons|Agents)
and /etc/crontab for anything that might be doing this. If you got really sexy with some automounts don't forget about /etc/auto_master and check for any settings that might be trying your password.