How can I disable a User Account from the CLI with Mac OS X Server?

mac-osx mac-osx-server opendirectory

Is there any possible solution to disable a User from the CLI e.g. over SSH? There has to be a dscl command for that. Or is there a dsAttrTypeStandard attribute that I can set accordingly?

Any pointers ?


Solution 1:

For all OS X accounts

pwpolicy doesnt work for local accounts on OS X client. BUT You can use the dscl command to directly edit these authentication settings. This method is guaranteed to work for user-level OS X accounts (Guest, admin and other regular accounts which you would see listed on the login window). With this approach it doesn't matter whether the account is managed with OS-X Server / LDAP account. This method also works for all OSX System Accounts (which you would otherwise disable their login shells).

Here's how:

# Read the AuthenticationAuthority key
dscl . -read /Users/username AuthenticationAuthority

AuthenticationAuthority: ;Kerberosv5;; \
username@LKDC:SHA1.41BE28E3B64EB62A42D0673968B9591DE18210F5; \
LKDC:SHA1.07264456235E49D45C4B99FC9549FC366CE32343; ; \
ShadowHash;HASHLIST:<SALTED-SHA1>

Disable

If not already disabled, then append DisabledUser to this key's value. With a semicolon for the field seperator. Excess / empty ; ; fields are ignored.

dscl . -append /Users/username AuthenticationAuthority ";DisabledUser;"

Check

To check an account's enabled / disabled status:

dscl . -read /Users/username AuthenticationAuthority | grep DisabledUser

For OSX System accounts: These accounts don't have an AuthenticationAuthority key to begin with. Therefore to check their enabled / disabled status is determined by whether the UserShell attribute has a valid login shell. So check the shell when AuthenticationAuthority doesn't exist.

Enable

To re-enable the user account we just remove DisabledUser sub-string from the AuthenticationAuthority entry. We use then use the dscl . -create cmd and write-back the whole thing.

dscl . -read /Users/username AuthenticationAuthority | \
sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | \
xargs dscl . -create /Users/username AuthenticationAuthority

Get the AuthenticationAuthority credentials for all users:

dscl . -list /Users AuthenticationAuthority

System accounts: Just remember that a system account must also have a valid login shell.

Solution 2:

This works in 10.5 and 10.6 on LDAP/OD accounts:

pwpolicy -a diradmin -u ajohnson -setpolicy "isDisabled=1"

Or for local accounts:

sudo dscl . -create /Users/ajohnson UserShell /usr/bin/false

Replace ajohnson with the short username of the user you wish to disable.

To re-enable simply set "isDisabled=0" instead of 1. Or in the case of local accounts to any shell in /etc/shells

pwpolicy example is from page 62 of the User Management Documentation (Snow Leopard) or Page 106 of the Command Line Administration Leopard manual.

Solution 3:

We have some OSX clients authenticating from a Linux LDAP server. What worked for me was setting a user's loginShell attribute to /usr/bin/false. This seems to prevent both SSH and graphical logins.

Related

Postfix : Only receive emails from specific domains?
What's the difference between a Disaster Recovery Plan and a Business Continuity Plan?
google mail send as accounts.. how to block?
mod_jk or mod_proxy
How do you create a symbolic (hardlink) in CMD.exe
Log file permissions in Linux
any way to use puppet or chef without launching daemons?
how can I test if a particular port is open on a server, particularly 1443?
Do aging UPSes need to be replaced?
Where is this cron job running from?
Is there a free tool that syncs files in both directions, on a schedule?
All-In-One PCs or PC integrated into monitor available?