HT203114: If you accidentally lock out an admin in macOS Server

Learn about If you accidentally lock out an admin in macOS Server
chrisfel

Q: Locked out and command hanging

/usr/bin/pwpolicy -n /Local/Default clearaccountpolicies hangs for a long time.  How long should I have to wait.  To give some background, I accidentally set the user permissions for my local account to services only in OSX server app.  Now I am locked out of my laptop!

Posted on Dec 18, 2014 10:35 AM

Close

Q: Locked out and command hanging

  • All replies
  • Helpful answers

  • by forappie,

    forappie forappie Dec 27, 2014 7:55 AM in response to chrisfel
    Level 1 (29 points)
    Mac OS X
    Dec 27, 2014 7:55 AM in response to chrisfel

    I had the same issue and I suspect it is because we have other OD nodes than the one listed in Apple's article (HT203114).

     

    All my Yoseimte accounts were locked out due to a 'rogue' password policy coming from my home (Mavericks) server (all accounts got disabled at the same time after 1 or 2 restarts/logins). To access a admin account on the machine where you have problems try the following:

    1. Enable root (start-up in recovery mode by pressing Command-R during start-up, then a) go into terminal b) issue 'reset password' commend c) specify password for 'System Administrator (root)' user)
    2. restart, login as root and create new admin user in 'Users & groups' system preferences
    3. restart and login in with new admin account
    4. disable root: a) goto Users & Groups b)  Unlock panel with admin c) Click 'Loging options' d) Edit/join Network Account Server e) Open Directory utility f) Unlock again g) Edit menu --> Disable Root user h) quit Open Directory Utility and Users & groups
    5. Open Terminal window
    6. Issue 'sudo /usr/bin/pwpolicy clearaccountpolicies', ie without specifying the OD node. I hoped it would use the active node and it worked for me. The command returns almost immediately with 'Clearing global account policies'

     

    One other successful way for me to enable accounts again was by running the Yosemite installer again. This disabled the 'rogue' password policy for 1 or 2 logins and made all accounts available again. My problems are described in greater detail in 'After upgrading to Yosemite all accounts disabled'. When I'm convinced the problems have been resolved I'll post the solution.

     

    Success