Set sound password policies in Mac OS X Server

Erik Eckel tells you how to use Mac OS X Server's Workgroup Manager and the Server Admin console to make sure you are setting strong password polices.

Enterprise Mac administrators should find it easy configuring secure password policies. Mac OS X Server's Workgroup Manager enables configuring user account settings, including password policies, for one or numerous users. The Server Admin console, meanwhile, enables configuring global password policies.


Which password policy takes priority? Specific user account settings, configured using Workgroup Manager, typically take precedence. Such a strategy enables administrators to set global password policies using Server Admin but make single exceptions using Workgroup Manager.

For example, if the general global password policy only requires users to set passwords using eight characters that must be reset every six months, but the organization possesses a few users who frequently work with sensitive information, exceptions can be set. Using Workgroup Manager, administrators can select those specific users and require that they utilize 12-character passwords that must be changed every two weeks.

Administrators, notably, are exempt from both types of password policies.

Set account password policies using Workgroup Manager

To configure user account password settings using Workgroup Manager, administrators should:

  1. Open Workgroup Manager.
  2. Highlight the user account within the user name column.
  3. Click the Advanced button.
  4. Set password policies using the supplied options.
  5. Click OK to update the password settings.

In addition to disabling login on a specific date, administrators can configure a user account to become inactive after a set number of inactive days or after a predetermined number of failed login attempts. Administrators can also prevent users from changing their password, specify the number of characters the password must include and require the password be changed at certain customizable intervals.

Set account password policies using Server Admin

To configure global password policies using the Server Admin console, administrators should:

  1. Open Server Admin.
  2. Select the server that serves as the Open Directory master.
  3. Highlight Open Directory.
  4. Click the Settings gear icon in the tool bar.
  5. Click the Policies tab.
  6. Select the Passwords tab.
  7. Specify the password policies to be used.
  8. Click Save.

In addition to all the password restrictions Workgroup Manager supports, the Server Admin password window enables requiring that the password prove different than the user account name, contain a letter and/or a number as well as a mix of uppercase and lowercase letters.

Passwords key to security

Because passwords are common to every user, and because passwords are so frequently used (users are required to enter them possibly multiple times each day), password complacency often arises. Administrators must guard against nonchalance, especially when it comes to security.

Configuring strong password policies helps ensure users don't take passwords for granted and set insecure passphrases that fail to adequately protect systems, data, and networks. But policies are not foolproof. Administrators must remember that policies are limited in their effectiveness by behavior and discourage users from writing passwords on paper or keeping them near their workstations. Humans are, well, human. As such, they're only one ill-advised and poorly posted Post-it away from negating the effects of a well-thought and well-administered password policy.