topic Re: Disabling All Password Policies Temporarily in ONTAP Discussions

Disabling All Password Policies Temporarily

TMADOCTHOMAS — Wed, 04 Jun 2025 10:34:20 GMT

Is there a way in cdot to disable all password policies temporarily? I know there was a way in 7-mode because I did it a few times, but can't find the equivalent in cdot. Use case is simple: I have a local account set up on all of our clusters that already has a secure password. On ONE of those clusters I need to 'change' the password to upgrade from MD5 to SHA512, but I don't want to actually change it. Problem is the "disallowed-reuse" setting under security login role config modify has a MINIMUM of 6, so the only way around it is to disable all policies, make the change, then re-enable.

Re: Disabling All Password Policies Temporarily

Mjizzini — Tue, 23 Feb 2021 07:55:11 GMT

I dont think that we can disable the password policies. Maybe deleting it then recreating it again.

Enforcing SHA-2 on administrator account passwords

Re: Disabling All Password Policies Temporarily

TMADOCTHOMAS — Tue, 23 Feb 2021 14:10:51 GMT

Okay thanks @Mjizzini !

Re: Disabling All Password Policies Temporarily

dirvine — Wed, 06 Dec 2023 09:51:43 GMT

You can change the policy temporarily - set the password back to original and then change it back:

sec login role config modify -vserver <vserver> -role admin -disallowed-reuse 1
sec login password -vserver <vserver> -username <username>
sec login role config modify -vserver <vserver> -role admin -disallowed-reuse 6
As long as you first use password is different to what it is now - this will work.