pwpolicy subcommands

Learn about the pwpolicy subcommands.

list-pwpolicy

You can view both group-level and user password policies by running the apusermgmt list-pwpolicy command.

apusermgmt list-pwpolicy -h | [-g Admin|User] [--user username]
-h
Displays help for the command.
-g | --globalrole {Admin | User}
Optional.

Specifies the global role and displays the group-level password policy.

--user username
Optional.

Specifies the username and displays which group policy is in effect for that user.

add-pwpolicy

You can add a password policy by running the apusermgmt add-pwpolicy command.

apusermgmt add-pwpolicy -h | -g {Admin | User} [--minlife pwd_min_lifetime] 
[--history pwd_in_history] [--minclasses pwd_min_classes] 
[--minlength pwd_min_length] [--lockouttime pwd_lock_out_duration] 
[--maxfail pwd_max_failure] [--maxlife pwd_max_lifetime] [--failinterval pwd_failure_count_interval]

modify-pwpolicy

You can modify an existing password policy by running the apusermgmt modify-pwpolicy command.

apusermgmt modify-pwpolicy -h | -g {Admin | User} [--minlife pwd_min_lifetime] 
[--history pwd_in_history] [--minclasses pwd_min_classes] 
[--minlength pwd_min_length] [--lockouttime pwd_lock_out_duration] 
[--maxfail pwd_max_failure] [--maxlife pwd_max_lifetime] 
[--failinterval pwd_failure_count_interval]
-h
Displays help for the commands.
-g | --globalrole {Admin | User}
Obligatory for both add-pwpolicy and modify-pwpolicy.

Specifies the global role for a group-level password policy. You can choose between Admin and User global roles.

--minlife pwd_min_lifetime
Optional.

Sets the minimum period of time, in hours, that a password must be in effect before you can change it. This can prevent a user from changing a password and then immediately changing it to the original value. The default value is 1 hour. After you change the passwords, you must wait for at least 1 hour before you can change them again.

--history pwd_in_history
Optional.
Sets the number of previous passwords that are stored and which you are prevented from using. For example, if the parameter is set to 10, the system prevents you from reusing any of your previous 10 passwords. The default value is 0. This value disables password history.
Note: Even with password history set to 0, you cannot reuse your current password.
--minclasses pwd_min_classes
Optional.
Sets the number of different character classes the you must use in the password. The character classes are:
  • Uppercase characters
  • Lowercase characters
  • Digits
  • Special characters such as a comma, period, an asterisk, etc.
Using a character three or more times in a row decreases the character class by one.

Secret1 has 3 character classes: uppercase, lowercase and digits.

Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly.

Note: The default number of required classes is 0. This means there are no required classes. There can be a maximum of 4 character classes.
--minlength pwd_min_length
Optional.

Sets the minimum number of characters for a password. The default value is 8 characters, meaning you cannot use passwords shorter than 8 characters. The maximum number of characters you can use is 20.

--lockouttime pwd_lock_out_duration
Optional.

Specifies the period, in seconds, for which your account is locked after you reach the maximum number of failures when entering a password. The default lockout duration is 600, meaning that if your account is locked, you are unable to log in for 10 minutes.

--maxfail pwd_max_failure
Optional.

Specifies the maximum number of consecutive failures when inputting the password before your account is locked. The default value is 6, meaning the system locks your account when you enter a wrong password 7 times in a row.

--maxlife pwd_max_lifetime
Optional.

Sets the maximum period of time, in days, that your password can be in effect before you must change it. The default value is 90 days. User passwords are valid only for 90 days.

--failinterval pwd_failure_count_interval
Optional.

Specifies the period, in seconds, after a failed login attempt before the counter resets. The count of failed attempts is automatically cleared after a certain amount of time. The default value is 60.

reset-pwpolicy

You can reset a password policy to the system initial values by running the apusermgmt reset-pwpolicy command.
apusermgmt reset-pwpolicy [-h] -g {Admin|User}
-h
Displays help for the command.
-g | --globalrole {Admin | User}
Required.

Specifies the global role to reset the group-level password policy. You can choose between Admin and User global roles.

set-default-pwpolicy

You can set a password policy to the system default values by running the apusermgmt set-default-pwpolicy command.
apusermgmt set-default-pwpolicy -h | -g {Admin|User}
-h
Displays help for the command.
-g | --globalrole {Admin | User}
Required.

Specifies the global role to reset the group-level password policy. You can choose between Admin and User global roles.