In 10.3 and later, Macs bound to and and autheticating against AD kindly warn you when your password has expired and allow you to change it at the login screen. If you're like me and would rather have more control over that process — in other words, you'd like to choose the time, manner, and place in which your users are warned about approaching password expirations — then the default behavior leaves much to be desired.
Googling for other admins' solutions to this "feature deficit" didn't reveal what I was looking for, so I decided to write my own password expiration warning script and make it as universal as I could. By universal, I mean you shouldn't have to change a single thing in the script to get it to work at your site. It looks up everything it needs using various command line utilities.
Read on for more…
The commented script is available here.
Here's the breakdown of what the script does:
- Checks to see if the currently logged-in account is actually an AD account before proceeding further
- Gets AD information from DNS (so you don't have to provide it in the script)
- Gets maximum password age from AD (so you don't have to update the script if it ever changes)
- Gets age of current user's password
- Figures out when password will expire
- If password expires within the warning threshhold, script presents a dialog box informing the user of the impending expiration and offering them a chance to change it
- If user chooses to change the password, Kerberos.app launches and presents them with a secure change password box
The one thing that you absolutely should change in the script is the warningDays variable. This is the variable that determines the number of days before expiration that warning dialog box will begin to appear. The default value of 1000 is useful for testing, as it should guarantee that you'll always see a dialog. Once you're satisfied the script actually does what it's supposed to do, drop the number down to your desired warning threshhold. I suggest 10.
To actually use this script, you have a number of options:
- Add it as a login item
- Run it as a cron job with osascript
- Add it as a scheduled task on your ARD Task Server
- etc…
How and when you use this script is up to you.
I would recommend changing the password in the Accounts Preference Pane
instead of the Kerberos app. Changing it in the Accounts Preference Pane
will change the login keychain password at the same time. If you use the
Kerberos app, the login password and login keychain password will get out
of sync.
My ADPasswordUtils (http://www.xutils.com/adpasswordutils/) application
sends the user to the Account Preference Pane. Here’s the code I use to get
to the password change dialog in the Accounts Preference Pane:
The click button line in the middle requires “Enable access for assistive
devices” be turned on in the Universal Access Preference Pane. That is why
it is wrapped in a separate try section.
Well, that’s an oversight. I was trying to avoid using the Accounts pane for the very reason that scripting it requires that non-default Universal Access setting. Time for another revision.
From what I read in the docs, enabling access for assistive devices is only
necessary if you want the actual password change dialog to appear after
entering the preference pane.
If the automatic appearance of the password change dialog is not a
concern can the app still be run without enabling access for assistive
devices?
It appears it would, and at least this would eliminate the need for creating
a non-standard image. Please confirm.
Mark
If you’ve got a Mac bound to AD, I’m guessing that it is being used in an
Enterprise environment. You can either enable the option for assistive devices
on your default images, or change the setting after the fact with ARD,
LANDesk, or some other administative task.
Once it is turned on, I can’t image there are that many users that will know
what it does and turn it off.
I hear you, and I’ve already used ARD to send “sudo echo -n ‘a’ > /var/db/.AccessibilityAPIEnabled” to all the macs I manage. My goal of universality is slipping rapidly away. My cake remains in its box, uneaten.
I’ll consider that a feature request.