Disable a user's account without deleting it

Nov 14, '05 06:11:00AM

Contributed by: frotzboy

I was looking for a way to disable (but not delete) a user's login account in 10.4. An older hint explained how to do this using NetInfo Manager to prepend an asterisk (*) to the password hash, but this approach no longer works with shadowed passwords (where each hash is stored in a separate protected file).

I found the solution in the Open Directory documentation. To disable a user account in 10.4 (probably 10.3 as well), prepend ;DisabledUser; to the existing authentication_authority value (which is usually ;ShadowHash; or some variant). The old value can also be enclosed in angled brackets. For example, either of the following are valid AA values:

  ;DisabledUser;;ShadowHash;
  ;DisabledUser;<;ShadowHash;>
Once you've done so, the account no longer appears in the list of users on the login screen, nor can that user login remotely (e.g. via ssh). I haven't looked to see what other implications disabling has (e.g. whether remote files can be accessed via Samba). To re-enable the account, simply restore the original authentication_authority value by removing the ;DisabledUser; string and any angle brackets around the old value. I went ahead and cobbled up this short perl script to automate the process. Remember to make it executable (chmod a+x scriptname).

[robg adds: I haven't tested this one...]

Comments (10)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20051109195739851