AD Password Expire Warning

[jensonyu]

Someone asked me this question today, but I haven’t had time to test it.

Do Mac (10.3.x) users get a warning at login to computer when their AD password are about to expire? (I’ve already known they can change their AD password from Account System Pref.)

[jensonyu]

Just took the time to confirm, but found it was not as macshome said.

On PC, I got “Your password expires today, do you want to change it?” But on Mac, no message, the use just logged on.

If I set “User must change password at next logon”, Mac user of course will have to change it at logon. But that’s not the same thing as expiring password.

[jensonyu]

Mac: 10.3.5 with all the updates except applications’ (iCal, iSight, iPod, etc)
Server: Win2003 Enterprise

The only thing I change in AD is to modify the Account Policy, maximum password age is 1 day, minimum password age is 0 day, because I want to see the result right away. (Mmm, is there a problem here?)

[Anonymous]

The issue with Passwords not warning users of expiration is that when the password expires you are now unable to change your password because your original password is no longer valid. Our password policy requires us to change passwords every 60 days. This means we have to reset passwords for users. Not very secure.

[ahlburg]

Any news about this issue?
I don’t see any “warnings” on my mac as I do on my PC…
No warnings at all means password=expires=not possible to change it!

Any ideas?

[kreynen]

Password expiration notices ARE sent to clients connecting to a share on a server that has clear text passwords disabled when the client had Microsoft’s UAM installed.

[ahlburg]

Thanks for your reply…
So, is this the way to go? Are there any official recommendations to use the MS UAM on OS X Clients, when connectiong to W2K3 Servers?

[Anonymous]

I’m having a problem with changing passwords. when users login for the first time they have no password. they just log in with there username and no password. then they get prompted to create there password.

this is not working from my mac clients(10.4.6)

when they have no password set the mac client won’t let them login. it just fails!

client: 10.4.6
AD: win 2003
OD: 10.4 server

any ideas
it’s working fine from the pc side, and the mac clients are authenticating fine thru AD, and being managed thru OD when a user with a password already set logs in.

[Anonymous]

I assumed “user must change password at next logon” was supported.

I know what happens when i assume

[joelbruner]

Well at the company I work for the Mac users’ machines are not bound to AD (thank god — they have infinite lockout after 3 attempts!) and they hardly ever log into the MS file servers (using Xinet) — BUT all the intranet web services they use are tied into AD and soon we are going from Notes to Exchange/Entourage — so you can see why I am working on a solution pronto!.
So what I’ve come up with is a solution with three parts:
1.) User run Applescript that queries an AD bound Mac OS X server via command line curl to a 2.) php file that runs a 3.) shell script that uses dscl to look up the users info.
Here’s some of the guts to figure this out on an AD bound Mac:
[code]
#escape the space in All Domains or use FQDN if the AD plugin does not allow authentication from any domain in the forest
ADdomain=”All\ Domains”
user=`whoami`
userRecord=`dscl localhost -read /Active\ Directory/$ADdomain/Users/$user`
lastpwdMS=`echo “$userRecord” | grep -i pwdLastSet | sed ‘s/pwdLastSet: //’`
todayUnix=`date “+%s”`
# this formula from http://support.citrix.com/article/CTX109645
lastpwdUnix=`expr $lastpwdMS / 10000000 – 11644473600`
diffUnix=`expr $todayUnix – $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
[/code]
[url=http://www.brunerd.com/software/ADexpire/ADexpire.zip]http://brunerd.com/software/ADexpire/ADexpire.zip[/url]
It’s commented and has readme’s for implementation specifics
[img]http://www.brunerd.com/software/ADexpire/screenshot.gif[/img]
So a brief description of what it does:
The user will be alerted to their password expiration and given three buttons…
Clicking Help takes you to a help page URL
Dismiss will close the window (it time out after 30 seconds also)
Change will take them to the IIS Password Change Page (this is implemented in the ADexpire2 app included)
It’s still has some polishing, I’ve seen a way uses rpcclient (macscripter.net has a script that uses this) to get the exact expiration date, but haven’t tried this method yet. Still, I hope this might provide a workable solution to those in the same boat as me. I saw some cool demos of this concept at WWDC this year, but no one would give up the code readily — so here’s a stab at it for all of us to share and improve… 🙂

[Author]

Posts