Jamf Nation Community

I don't think password age is stored locally on the system, since you will only see notifications at times when your system is talking to a domain controller. When offline, your system doesn't know the state of your AD password (it may have been changed already for all it knows).

You could probably have the script grab the current user and do an AD query on the "password last changed" attribute and do the math, but that sounds needlessly complex and would only work when on-network.

Yep - they are right - you would need an active connection to the AD server to get that data.

I am interested in this one too…

Although you could (later on) touch a flag-file locally to say when the password was last updated
- and if you know your companies password change policy -- say 60 days for instance…
– then you could work out locally if the network password was due to expire - without being attached to the network
– but that's a kludge -- Really you want to connect to the actual network to determine the expiry status.
– (also even if you did implement this kludge - it could only warn you…)

So I guess the next question is: How do you read the password expiry date from AD ?

-- You might perhaps only be able to read when the password was last reset ?
-- Though as i recall there is a "Password Expiry" Field…

Best to ask your AD administrator…
or look it up online…

I did find: http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx
Which is not immediately useful… Since it's a script to run on windows…

That contains a reference to the Microsoft Document:
http://msdn.microsoft.com/en-us/library/ms974598.aspx

Looking ta that – While it's probably accurate - it does not look of much use to Mac Admins…
-- I would definitely start by asking your AD Admin if there is an easy way…

One possibility is that may already have a method -- to email users a notification -- that their password is due to expire is so many days time… -- That would be one solution…

Hi Once again…

This reference looks a lot more interesting…

http://thelowedown.wordpress.com/2008/12/04/active-directory-automated-password-expiration-warnings/

Thank you so much for all of your help and suggestions. I checked the ADPassMon out and I think that would work for us. Though the script that 'colonelpanic' provided worked PERFECT!!!!!! That should give me the flexibility that I was after.

Rock on! Thanks again, everyone!

Glad to hear that script worked for you! Like I said I found an applescript version of it online, I just did the work of converting it to bash, adding a tiny bit of additional math, and throwing the pop-up in the end. We have that as something the users can run through self service, though you can make the changes described in my last post to have it run in the way you were initially describing.

I hope this helps anyone who needs it. I modified colonelpanic's script to suit my environment. We have cached AD Mobile accounts here with a 90 day password limit and so far when I query the local directory using dscl it still shows the correct last password set. We use Cocoadialog for notifications and Network Connect for VPN, so I used the msgbox template for users to choose if they're on the network or not in order to change their password. If they're onsite, the script will launch the Accounts Pane in System Preferences and if they're offsite, the script will launch Network Connect. I have the script below and after it is the script I use in Extension Attributes in order to scope users that are within a two week window.

-----------------------------------------------------------
#!/bin/bash
pwPolicy=90
user=/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'
lastpwdMS=dscl localhost read /Local/Default/Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2
todayUnix=date "+%s"
lastpwdUnix=expr $lastpwdMS / 10000000 - 11644473600
diffUnix=expr $todayUnix - $lastpwdUnix
diffdays=expr $diffUnix / 86400
daysremaining=expr $pwPolicy - $diffdays
CD="/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog"
rv=`$CD msgbox --no-newline
--text "Your AD password expires in less than $daysremaining days."
--informative-text "Click the appropriate button to change your password."
--button1 "OnSite" --button2 "OffSite" --button3 "Cancel"`
if [ "$rv" == "1" ]; then
osascript -e 'tell application "Finder" activate open document file "Accounts.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
end tell'
exit 0
echo "User chose OnSite"
elif [ "$rv" == "2" ]; then
osascript -e 'tell application "Finder" activate open file "Network Connect.app" of folder "Applications" of startup disk
end tell'
exit 0
echo "User chose OffSite"
elif [ "$rv" == "3" ]; then
echo "Cancelling"
exit 0
fi
-------------------------------------

I have an Extension Attribute that will put users in a 2 Weeks left Smart Group.
------------------------------------
#!/bin/bash
pwPolicy=90
user=/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'
lastpwdMS=dscl /Local/Default/ read /Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2
todayUnix=date "+%s"
lastpwdUnix=expr $lastpwdMS / 10000000 - 11644473600
diffUnix=expr $todayUnix - $lastpwdUnix
diffdays=expr $diffUnix / 86400
daysremaining=expr $pwPolicy - $diffdays
if [[ "$daysremaining" -gt 0 && "$daysremaining" -lt "15" ]]; then
echo "<result>2 Weeks</result>";
else
echo "<result>$daysremaining</result>";
fi
-------------------------------

daniel.behan you have my attention,

I have tried everything. Your script is the coolest one I have seen yet. Our user accounts are expiring left and right and I have gotten 0 help from apple. Your script is working however its not showing me the amount of days. Any advice.

not sure if the smart group script is working either.

I know this is an oldish discussion but i thought i would share what i am working on based in part on @daniel.behan contribution to the discussion.

I used Daniel's logic to derive the days till password expires (the top section) but instead of using Jamfhelper or CocoaDIalog, I decided to leverage Notification Center.

#!/bin/bash
pwPolicy=90
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
lastpwdMS=`dscl localhost read /Local/Default/Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
osascript -e 'display notification "Go to (site for pwmanagement) to change your password" with title "Password expires in '$daysremaining' days" sound name "Hero"'

I chose Notification center because it is a visible and audible notification that doesn't interrupt work flow too much. Plus we have a web interface for password management with plans to change the IDM system we use soon...

Thank you @exno that's a very nice script!

@daniel.behan Maybe you can help me?

I copied your script and there seems to be an error in the osascript syntax .. When I try to run the script only an Alert is displayed (no buttons) I can only kill the script to make the Alert go away.

When I try to run one of the osascript commands manually (copy past in terminal) I get an error 26:34: syntax error: Expected end of line but found command name. (-2741)

Any Ideas?

Nevermind.. Found my solution on the internet..