Specifications
Setting Password Policies for Individual Users
Using Workgroup Manager, you can set password policies for user accounts whose
password type is Open Directory or Shadow Password. The password policy for a user
overrides the global password policy dened in the Authentication Settings pane of
Open Directory service in Server Admin.
The password policy for a mobile user account applies when the account is used while
the mobile computer is disconnected from the network. The password policy from the
corresponding network user account applies while the mobile computer is connected
to the network.
Administrator accounts are exempt from password policies.
To set a password policy for a user account that has an Open Directory password, you
must have administrator rights for Open Directory authentication in the directory
domain that contains the user account. This means you must authenticate as a
directory domain administrator whose password type is Open Directory.
For more information, see “Assigning Administrator Rights for Open Directory
Authentication” on page 11 5 .
Kerberos and Open Directory Password Server maintain password policies separately.
Mac OS X Server synchronizes Kerberos password policy rules with Open Directory
Password Server password policy rules.
Do not use the Options button in the Advanced pane to set up password policies for
directory domain administrators. Password policies are not enforced for administrator
accounts. Directory domain administrators must be able to change the password
policies of user accounts.
To change the password policy for a user account:
1 In Workgroup Manager, open the account you want to work with (if it is not open).
To open an account, click the Accounts button, then click the Users button. Click the
small globe icon above the list of users and choose from the pop-up menu to open
the directory domain where the user’s account resides.
Click the lock and authenticate as a directory domain administrator whose password
type is Open Directory, then select the user in the list.
2 Click Advanced, then click Options.
You can click Options only if the password type is Open Directory or Shadow Password.
3 Change password policy options, then click OK.
If you select an option that requires resetting (changing) the password, remember that
some service protocols don’t permit users to change passwords. For example, users
can’t change their passwords when authenticating for IMAP mail service.
4 Click Save.
11 2 Chapter 6 Managing User Authentication Using Workgroup Manager