Security optimize

Set account password policies in Mac OS X Lion Server

Erik Eckel shows you the steps for setting password polices in Lion Server through both Workgroup Manager and the Server App.

While Mac OS X Lion Server's underlying code is reliable and secure, users aren't. The more users, the higher the likelihood of trouble. Fortunately, it's easy to configure account password policies that require users to maintain secure complex passwords.

Using Workgroup Manager

Mac server administrators can set per-user password policies by following these steps:

  1. Open Workgroup Manager.
  2. Confirm you are connected to the correct directory node:
    • Click the Workgroup Manager's globe icon to open the Directory Node menu.
    • Specify the correct directory.
    • Click OK.
    • Enter a username with directory administration privileges and click the Authenticate button.
  3. Select the user accounts for which you wish to configure account password policies.
  4. Click the Advanced tab.
  5. Click the Options button in the bottom right corner.
  6. Specify the settings you wish to enable within the provided fields.
  7. Click OK.
  8. Click Save.

Several critical checkboxes, and values, are entered in step six above. Administrators can specify whether the user can log in (Allow the user to log in) and change the user password (Allow the user to change the password). With either option come several additional settings. Enabling login, paradoxically, permits disabling login beginning on a specific date, after a set period of inactivity, or after a specified number of failed login attempts. When password changes are permitted, administrators can specify how many characters the password must contain, how often the password needs to be changed (in days) and whether the password must be changed at the next login.

User password settings can be adjusted individually by highlighting the respective user account within Workgroup Manager, choosing the Advanced tab, and clicking the Options tab. Once password policy settings are edited or adjusted, click OK and then Save to record the changes.

Using Server App

The Server App can be used to implement password policies, too. Note, however, that existing user account settings may override global policies, at least until a user is forced to change or update a password.

Mac server administrators can configure password policies following these steps:

  1. Open Server App.
  2. Ensure connection to the proper directory (described above).
  3. Choose Edit Global Password Policy from the action menu.
  4. The Edit the Global Password Policy window will appear; configure settings as desired.
  5. Click OK and Save.

The Global Password Policy editing window presents numerous options. In addition to disabling login after a specified period of activity or inactivity, on a certain date and after a predetermined number of failed login attempts, a host of password complexity criteria can be set. Administrators can force passwords to be different from account names, contain a mix of letters and numbers and even capital letters, possess special characters, be reset upon first use, require a specific length and be different from previously used passwords. Leveraging Global Password Policy settings, administrators can also force users to change passwords at predetermined, customizable intervals.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

1 comments
ansona4
ansona4

Erik, Thanks for the article. I've been able to find all of these password policy options in both Workgroup Manager and the Server App. I cannot however, find an option to force the user to change their password on next login. If I check the box to force the user to change their password on first login, it only works if they have never signed into their account before. I feel like this is a pretty basic feature that would be included in a server environment and I may be just missing it. Any suggestions? - Anson