Culprit for locking me out seems to be the legacy "minutesUntilFailedLoginReset" that seems to still be set-able with a configuration profile.
I got the dreaded
"account has been disabled, contact your administrator"
The apple guidance was not helpful in telling me to load com.apple.opendirectoryd.plist. Turns out that is not the only LaunchDaemon that is required for pwpolicy to run.
But I have a fix. It is basically like run level 3 in linux.
# Get to single user mode then:
mount -uw /
# mount read-write
cd /System/Library/LaunchDaemons
# It is important to cd into the LaunchDaemons directory
launchctl load $(ls | grep -iv "window")
# I know, I know, " thou shall not grep ls.. " but this will list all of the files
# minus the GUI (loginWindow and window server) and load them
pwpolicy -clearaccountpolicies
# Clear out all the pwpolicies so you can start fresh
pwpolicy enableuser -u userName
# Actually enable the users who were locked.
pwpolicy -getglobalpolicies
# Just to check, should be a blank line
reboot
# **Don't** just hit CTL-D... you will anger the boot gods by doing this
# They will exact their revenge with graphics glitches and other strangeness
# A sacrificial reboot appeases them
Known working commands:
pwpolicy
dscl
Known NOT working (must be some other dependencies):
diskutil
I hope this saves someone else from needing to reimage.