Articles November 20, 2006 at 3:34 pm

"divorce" AD password expiration checking from the login process

In 10.3 and later, Macs bound to and and autheticating against AD kindly warn you when your password has expired and allow you to change it at the login screen. If you're like me and would rather have more control over that process — in other words, you'd like to choose the time, manner, and place in which your users are warned about approaching password expirations — then the default behavior leaves much to be desired.

Googling for other admins' solutions to this "feature deficit" didn't reveal what I was looking for, so I decided to write my own password expiration warning script and make it as universal as I could. By universal, I mean you shouldn't have to change a single thing in the script to get it to work at your site. It looks up everything it needs using various command line utilities.

Read on for more…

Ed. Note: I haven't nailed down the specifics, but OS X will now start warning you a week before the password expires. This is down via the Kerberos libs as you'll get a dialog with a Kerberos icon on it. This has been tested with 10.4.7 and 2k3 server SP1. However, the script provided is much more versatile.

The commented script is available here.

Here's the breakdown of what the script does:

  1. Checks to see if the currently logged-in account is actually an AD account before proceeding further
  2. Gets AD information from DNS (so you don't have to provide it in the script)
  3. Gets maximum password age from AD (so you don't have to update the script if it ever changes)
  4. Gets age of current user's password
  5. Figures out when password will expire
  6. If password expires within the warning threshhold, script presents a dialog box informing the user of the impending expiration and offering them a chance to change it
  7. If user chooses to change the password, launches and presents them with a secure change password box

The one thing that you absolutely should change in the script is the warningDays variable. This is the variable that determines the number of days before expiration that warning dialog box will begin to appear. The default value of 1000 is useful for testing, as it should guarantee that you'll always see a dialog. Once you're satisfied the script actually does what it's supposed to do, drop the number down to your desired warning threshhold. I suggest 10.

To actually use this script, you have a number of options:

  • Add it as a login item
  • Run it as a cron job with osascript
  • Add it as a scheduled task on your ARD Task Server
  • etc…

How and when you use this script is up to you.

No Comments

  • I would recommend changing the password in the Accounts Preference Pane
    instead of the Kerberos app. Changing it in the Accounts Preference Pane
    will change the login keychain password at the same time. If you use the
    Kerberos app, the login password and login keychain password will get out
    of sync.

    My ADPasswordUtils ( application
    sends the user to the Account Preference Pane. Here’s the code I use to get
    to the password change dialog in the Accounts Preference Pane:

    tell application "System Preferences"
       set current pane to pane "Accounts"
       tell application "System Events"
            tell application process "System Preferences" 
               click button "Change Password…" of tab group 1 of window 
            end tell
         end try
       end tell
    end tell

    The click button line in the middle requires “Enable access for assistive
    devices” be turned on in the Universal Access Preference Pane. That is why
    it is wrapped in a separate try section.

    • Well, that’s an oversight. I was trying to avoid using the Accounts pane for the very reason that scripting it requires that non-default Universal Access setting. Time for another revision.

    • From what I read in the docs, enabling access for assistive devices is only
      necessary if you want the actual password change dialog to appear after
      entering the preference pane.

      If the automatic appearance of the password change dialog is not a
      concern can the app still be run without enabling access for assistive

      It appears it would, and at least this would eliminate the need for creating
      a non-standard image. Please confirm.


  • If you’ve got a Mac bound to AD, I’m guessing that it is being used in an
    Enterprise environment. You can either enable the option for assistive devices
    on your default images, or change the setting after the fact with ARD,
    LANDesk, or some other administative task.

    Once it is turned on, I can’t image there are that many users that will know
    what it does and turn it off.

    • I hear you, and I’ve already used ARD to send “sudo echo -n ‘a’ > /var/db/.AccessibilityAPIEnabled” to all the macs I manage. My goal of universality is slipping rapidly away. My cake remains in its box, uneaten.

  • I’ll consider that a feature request.

Leave a reply

You must be logged in to post a comment.