Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Disable a user's account without deleting it System
I was looking for a way to disable (but not delete) a user's login account in 10.4. An older hint explained how to do this using NetInfo Manager to prepend an asterisk (*) to the password hash, but this approach no longer works with shadowed passwords (where each hash is stored in a separate protected file).

I found the solution in the Open Directory documentation. To disable a user account in 10.4 (probably 10.3 as well), prepend ;DisabledUser; to the existing authentication_authority value (which is usually ;ShadowHash; or some variant). The old value can also be enclosed in angled brackets. For example, either of the following are valid AA values:
  ;DisabledUser;;ShadowHash;
  ;DisabledUser;<;ShadowHash;>
Once you've done so, the account no longer appears in the list of users on the login screen, nor can that user login remotely (e.g. via ssh). I haven't looked to see what other implications disabling has (e.g. whether remote files can be accessed via Samba). To re-enable the account, simply restore the original authentication_authority value by removing the ;DisabledUser; string and any angle brackets around the old value. I went ahead and cobbled up this short perl script to automate the process. Remember to make it executable (chmod a+x scriptname).

[robg adds: I haven't tested this one...]
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[16,791 views]  

Disable a user's account without deleting it | 10 comments | Create New Account
Click here to return to the 'Disable a user's account without deleting it' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Disable a user's account without deleting it
Authored by: joshturse on Nov 14, '05 10:43:31AM

The same thing can be accomplished using the Server Admin tools (even on client Tiger installs): http://www.apple.com/support/downloads/serveradmintools104.html



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: ifroguin on Nov 15, '05 05:08:20PM

This might be a dumb question, but how do i get the server admin tools to work on tiger client? Everything is grayed out and it tells me there is no server available on my machine...



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: housemaister on Nov 16, '05 12:51:18AM

You can use the Worgroup Manager.app to modify also the user database on client machines.



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: frotzboy on Nov 16, '05 07:38:21PM

Ah, cool. I saw lots of stuff about the server admin tools when digging into this, particularly Workgroup Manager, but it wasn't clear whether they worked for client, nor did I see the download ref. Thanks.



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: Rob the R on Nov 14, '05 07:43:17PM
Thanks for the hint! But the link to the older hint is not the right one. Use this link instead.

[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: mshmgi on Nov 15, '05 06:39:21AM

Maybe I'm a bit of a simpleton ... but why not just change the user's password?



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: gshenaut on Nov 15, '05 07:14:12AM

That's what I was thinking, but that wouldn't remove the account from the login window. But if you were going to change the password, one thing you could do is to change it to a random string of characters, not keeping the string. That way, only a superuser could turn it around, by changing the password to something more reasonable.

I bet someone could even make a utility to "randomize" someone's password that way, creating an inaccessible, but otherwise normal-appearing account, something that could conceivably be a useful alternative to the "Disabled" flag in the hint.

Greg Shenaut



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: romulis on Nov 16, '05 01:35:29PM

If it really works, disabling the account should be better than just changing the password.

For example: If the user has an ssh key set up - they can login without using the local password, so changing the password doesn't really help. (of course, the GUI login would be blocked though). It all depends on the people you're dealing with :-)

I didn't know that OS-X actually provides a way to disable accounts - it would be interesting to see what it really does (also haven't tested it :-) (ie: if it would still be possible to start processes with that person's uid etc)



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: frotzboy on Nov 16, '05 07:35:12PM

Actually this is for the family computer, where my kids' access can be temporarily suspended for a variety of transgressions. Disabling the account is better than modding pwds since it's unambiguous (for certain violations I just shut off the account without further comment or warning, they know why) and easily reversable (I can reenable the account without having to go through a password change cycle).



[ Reply to This | # ]
Disable a user's account without deleting it
Authored by: akinspe on Nov 21, '05 08:57:59PM

A far easier (and probably less dangerous) way would be to use the pwpolicy command:

pwpolicy -u shortname -setpolicy isDisabled=1

Use :
pwpolicy -u shortname -setpolicy isDisabled=0

To restore. You'll need to be an admin to change this. man pwpolicy for more user info goodness.



[ Reply to This | # ]