Any issue and/or advice with activation of global password policy (10.9 osx server) ?

Question

Any issue and/or advice with activation of global password policy (10.9 osx server) ?

Hi Pro,

I have an OD domain (10.9.1 server) with 20 users mobile account (10.9.1 osx) authentification, I’d like to enable a global password policy, and I'm curious what actually happens when I add some policy in Server Admin > Open Directory > gear > edit global password policy?

If I set a "reset every 45 days" option, is that from the time the policy is enabled, or from the time the user account was created?

Any issue with Keychain ?

If I set a "must have one letter" or "numeric character", etc...and the user doesn't currently have a password that matches this criteria, will they be forced to set a new password immediately, or the next time one is initiated, did the account will be disable?

I just trying to prevent any bad experience for the users.

Thanks

OS X Server

Posted on Feb 11, 2014 6:49 PM

Reply

Answer 1

Best reply

jepping

Level 3

785 points

Feb 12, 2014 12:46 AM in response to Rich_ClickPom

Hi,

The 45 days will start from the moment you enable that setting for all active users, and will start whenever you create a new OD user.

There won't be any issues with Keychain, it will updated when a new password is set. On that specific day when they login or restart, they need to choose a new password. Keychain will update automatically.

The new policy will start working after the 45 days have been set. After 45 days that policy will be enforced, not before, users can continue to work with a less secure password. About 10 days before that deadline or earlier they will get an option in their login screen to renew their password because it will inform them it will expire soon.

You might want to notify all users of a new password policy when you set it and then inform them again about a week before it will expire. That will ensure a smooth transition...

Goodluck!

Jeffrey

Reply