The password policy may be modified by using the pwpolicy command line tool, or by installing a profile containing the Password Policy payload.
Password policies seem to be stored as directory records. Attempting to access password policies on an Active Directory node results in:
Error: Operation is not supported by the directory node.
/usr/bin/pwpolicy -getglobalpolicy will show some of the values applied by the payload.
/usr/bin/pwpolicy -n /Local/Default -getaccountpolicies will show password policies for the local directory.
Policies that have been created by profiles have a special value for policyIdentifier.
The identifier is generated from the PayloadUUID that created the policy, for example:
- The PayloadUUID might be
- The Payload sets maxPINAgeInDays.
- The resulting identifier is