*nix Admin Needing Mac Help


Hello -

I'm a *NIX admin with a couple of Mac OS X systems on my network that I need to manage. I also need to meet specific security requirements for all of my systems. One of the requirements is that after 5 unsuccessful login attempts on a single account, that account must be locked. On our Linux systems, we implement this via the pam_tally PAM module. After much effort, I was able to build pam_tally for Mac OS X 10.3.9 and it works fine for login and ssh but not for LoginWindow (per the diagram on this site http://nic.phys.ethz.ch/readme/86).

So my first question. Is there a way to make LoginWindow use PAM so that pam_tally can manage the unsuccessful login attempts? If not, is there another method?

I've tried pwpolicy and set the option for maxFailedLoginAttempts, but it didn't work. Perhaps because I only tried it for accounts with administrative priviledges. I've not tried it with non-admin accounts, but that leads to my next question.

When I create a non-admin account, I am unable to login unless I add admin priviledges to that account. What am I doing wrong? I've tried to find error messages, but I just get the login "shake" which isn't terribly helpful for tracking down problems.

Thanks for any assistance,

PS This was submitted as a "question" after I registered, but I'm not sure where that goes to (and the forums appear to have lots of helpful respsonse). So sorry if this is a duplicate.