In 10.3 and later, Macs bound to and and autheticating against AD kindly warn you when your password has expired and allow you to change it at the login screen. If you're like me and would rather have more control over that process — in other words, you'd like to choose the time, manner, and place in which your users are warned about approaching password expirations — then the default behavior leaves much to be desired.
Googling for other admins' solutions to this "feature deficit" didn't reveal what I was looking for, so I decided to write my own password expiration warning script and make it as universal as I could. By universal, I mean you shouldn't have to change a single thing in the script to get it to work at your site. It looks up everything it needs using various command line utilities.
Read on for more…
The commented script is available here.
Here's the breakdown of what the script does:
- Checks to see if the currently logged-in account is actually an AD account before proceeding further
- Gets AD information from DNS (so you don't have to provide it in the script)
- Gets maximum password age from AD (so you don't have to update the script if it ever changes)
- Gets age of current user's password
- Figures out when password will expire
- If password expires within the warning threshhold, script presents a dialog box informing the user of the impending expiration and offering them a chance to change it
- If user chooses to change the password, Kerberos.app launches and presents them with a secure change password box
The one thing that you absolutely should change in the script is the warningDays variable. This is the variable that determines the number of days before expiration that warning dialog box will begin to appear. The default value of 1000 is useful for testing, as it should guarantee that you'll always see a dialog. Once you're satisfied the script actually does what it's supposed to do, drop the number down to your desired warning threshhold. I suggest 10.
To actually use this script, you have a number of options:
- Add it as a login item
- Run it as a cron job with osascript
- Add it as a scheduled task on your ARD Task Server
How and when you use this script is up to you.