If you accidentally lock out an admin in macOS Server

Global policies apply to both admin users and regular users in macOS. Be careful when you set your policies so that you don't inadvertently lock out admin users.

Use these steps to unlock affected user accounts, including admin users.

If you lock out an Open Directory admin

In Terminal, use this command: 

sudo pwpolicy -n /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi clearaccountpolicies

If you lock out a local admin

  1. Start the computer in single user mode. To start in single user mode, hold Command-S at startup.
  2. Use the following commands to remove the global password policy when the shell prompt appears:
    /sbin/fsck -fy
    
    /sbin/mount -uw /
    
    /bin/launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
    
    /usr/bin/pwpolicy -n /Local/Default clearaccountpolicies
    
  3. After entering the commands, press Control-D to restart the computer normally.
Published Date: