ADPassMon Script help

Treger
Contributor

Hi Guys,

I have started trying use ADPassMon in my environment, it would solve a lot of the issues I am having with AD password resetting and kerberos tickets all in one go (plus of course KEYCHAIN!), however I am trying to use the forked V2 I have managed to configure the app as required with the password requirements and user notifications etc but my script will not run as it is returning the error error -10810.36:121: execution error: which I believe means it needs to run as the user, however in testing when I ran it as an admin it worked for the user, does anyone have an idea of how I can deploy this or if maybe I am just going about this the wrong way? this is what I want to configure:

Deploy preferences to app for:
Enable version 2 behaviour
Enable Notifications for expiery
User notification of password requirements and acknowledgement
Lock the preferences from user

defaults write org.pmbuko.ADPassMon selectedBehaviour -int 2

defaults write org.pmbuko.ADPassMon enableNotifications true

defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"

defaults write org.pmbuko.ADPassMon pwPolicyButton "Understood"

defaults write org.pmbuko.ADPassMon prefsLocked true

Restart the app to apply the changes

osascript -e 'tell application "ADPassMon" to quit'

open -a ADPassMon

Add the App to the users login items

osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'

1 ACCEPTED SOLUTION

bpavlov
Honored Contributor

I don't know about a script but here are the settings I have documented (I believe these are all of the settings) as of v2.0.9:

ADPassMon Behavior: Version 2
    <key>isBehaviour2Enabled</key>
    <integer>1</integer>
    <key>selectedBehaviour</key>
    <integer>2</integer>    

Method of obtaining maximum password age: Auto
    <key>selectedMethod</key>
    <integer>0</integer>

Test this key as it may not be necessary if selectMethod is set to Auto
    <key>expireAge</key>
    <integer>0</integer>


Check "Use Notifications"
    <key>enableNotifications</key>
    <true/>

"Add To Login Items"
No key exist. This can be accomplished via a LaunchAgent.

"Perform Keychain Lock check at launch?"
    <key>enableKeychainLockCheck</key>
    <true/>

How many days before your password expires do you want to be warned? 21 
    <key>warningDays</key>
    <integer>21</integer>

Check "Allow password change?"
    <key>allowPasswordChange</key>
    <true/>

Password Expiration Check Interval: 12 hrs
    <key>passwordCheckInterval</key>
    <integer>12</integer>

Policy Requirement message:
defaults write org.pmbuko.ADPassMon pwPolicy "ENTER YOUR MESSAGE HERE."

Lock preferences:
defaults write org.pmbuko.ADPassMon prefsLocked true

And my plist (which I've converted to a config profile) looks like so "org.pmbuko.ADPassMon.plist":

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowPasswordChange</key>
    <true/>
    <key>enableKeychainLockCheck</key>
    <true/>
    <key>enableNotifications</key>
    <true/>
    <key>isBehaviour2Enabled</key>
    <integer>1</integer>
    <key>passwordCheckInterval</key>
    <integer>12</integer>
    <key>prefsLocked</key>
    <true/>
    <key>pwPolicy</key>
    <string>ENTER YOUR MESSAGE HERE.</string>
    <key>selectedBehaviour</key>
    <integer>2</integer>
    <key>selectedMethod</key>
    <integer>0</integer>
    <key>warningDays</key>
    <integer>21</integer>
</dict>
</plist>

Hope that helps. And just paging @bentoms as he may be able to provide some pointers too.

View solution in original post

17 REPLIES 17

Treger
Contributor

Reposting script as it took out all the hashes etc for stuff that is commented out:

Deploy preferences to app for:
Enable version 2 behaviour
Enable Notifications for expiery
User notification of password requirements and acknowledgement
Lock the preferences from user

defaults write org.pmbuko.ADPassMon selectedBehaviour -int 2

defaults write org.pmbuko.ADPassMon enableNotifications true

defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"

defaults write org.pmbuko.ADPassMon pwPolicyButton "Understood"

defaults write org.pmbuko.ADPassMon prefsLocked true

Restart the app to apply the changes

osascript -e 'tell application "ADPassMon" to quit'

open -a ADPassMon

Add the App to the users login items

osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'

Treger
Contributor
#!/bin/sh
Deploy preferences to app for:
Enable version 2 behaviour
Enable Notifications for expiery
User notification of password requirements and acknowledgement
Lock the preferences from user

defaults write org.pmbuko.ADPassMon selectedBehaviour -int 2

defaults write org.pmbuko.ADPassMon enableNotifications true

defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"

defaults write org.pmbuko.ADPassMon pwPolicyButton "Understood"

defaults write org.pmbuko.ADPassMon prefsLocked true

Restart the app to apply the changes

osascript -e 'tell application "ADPassMon" to quit'

open -a ADPassMon

Add the App to the users login items

osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'

Treger
Contributor
#!/bin/sh

##### Deploy preferences to app for: 
##### Enable version 2 behaviour
##### Enable Notifications for expiery
##### User notification of password requirements and acknowledgement
##### Lock the preferences from user 

defaults write org.pmbuko.ADPassMon selectedBehaviour -int 2

defaults write org.pmbuko.ADPassMon enableNotifications true

defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"

defaults write org.pmbuko.ADPassMon pwPolicyButton "Understood"

defaults write org.pmbuko.ADPassMon prefsLocked true

##### Restart the app to apply the changes

osascript -e 'tell application "ADPassMon" to quit'

open -a ADPassMon

##### Add the App to the users login items 

osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'

Treger
Contributor

3rd time lucky.....

bpavlov
Honored Contributor

I don't know about a script but here are the settings I have documented (I believe these are all of the settings) as of v2.0.9:

ADPassMon Behavior: Version 2
    <key>isBehaviour2Enabled</key>
    <integer>1</integer>
    <key>selectedBehaviour</key>
    <integer>2</integer>    

Method of obtaining maximum password age: Auto
    <key>selectedMethod</key>
    <integer>0</integer>

Test this key as it may not be necessary if selectMethod is set to Auto
    <key>expireAge</key>
    <integer>0</integer>


Check "Use Notifications"
    <key>enableNotifications</key>
    <true/>

"Add To Login Items"
No key exist. This can be accomplished via a LaunchAgent.

"Perform Keychain Lock check at launch?"
    <key>enableKeychainLockCheck</key>
    <true/>

How many days before your password expires do you want to be warned? 21 
    <key>warningDays</key>
    <integer>21</integer>

Check "Allow password change?"
    <key>allowPasswordChange</key>
    <true/>

Password Expiration Check Interval: 12 hrs
    <key>passwordCheckInterval</key>
    <integer>12</integer>

Policy Requirement message:
defaults write org.pmbuko.ADPassMon pwPolicy "ENTER YOUR MESSAGE HERE."

Lock preferences:
defaults write org.pmbuko.ADPassMon prefsLocked true

And my plist (which I've converted to a config profile) looks like so "org.pmbuko.ADPassMon.plist":

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowPasswordChange</key>
    <true/>
    <key>enableKeychainLockCheck</key>
    <true/>
    <key>enableNotifications</key>
    <true/>
    <key>isBehaviour2Enabled</key>
    <integer>1</integer>
    <key>passwordCheckInterval</key>
    <integer>12</integer>
    <key>prefsLocked</key>
    <true/>
    <key>pwPolicy</key>
    <string>ENTER YOUR MESSAGE HERE.</string>
    <key>selectedBehaviour</key>
    <integer>2</integer>
    <key>selectedMethod</key>
    <integer>0</integer>
    <key>warningDays</key>
    <integer>21</integer>
</dict>
</plist>

Hope that helps. And just paging @bentoms as he may be able to provide some pointers too.

bpavlov
Honored Contributor

How are you running the script out of curiosity? If it's running as root then I don't believe the settings are being copied to the user's preferences which may be the cause of your problem....

Treger
Contributor

hi bpavlov, thanks, I uploaded the script to the jss and tried to push it to a smart computer group that has the ADPassMon app already installed.

When you are deploying the above .plist I take it you have it running as a .dmg for FUT and FEU?

bpavlov
Honored Contributor

I converted that plist into a profile using MCXtoProfile: https://github.com/timsutton/mcxToProfile

Then you can apply that configuration profile to whatever computer you want via Casper.

Treger
Contributor

Thanks!, I am trying that now to see how it works, had to get my head around how the MCX creator worked.

Treger
Contributor

I have tried it but is seems the app is still staying on version 2, the prefs are still unlocked, the pwPolicy is working though....

cbrewer
Valued Contributor II

Here is the script I came up with that writes our ADPassMon preference file and writes a launch agent to handle automatically launching ADPassMon. I just run this at login for all of our staff.

Test this out as I tweaked it a bit to remove some things specific to my environment.

#!/bin/bash

#Check for ADPassMon.app and exit if not found
if [ ! -d /Applications/ADPassMon.app ]; then
    echo "ADPassMon not found"
    exit 0
fi

#Check for existing launch agent
if [ -f /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ]; then
    echo "LaunchAgent for ADPassMon already exists. Removing..."
    rm /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
fi

#Write out a LaunchAgent to launch ADPassMon on login
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist Label AD.ADPassMon
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ProgramArguments -array
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist RunAtLoad -bool YES
/usr/libexec/PlistBuddy -c "Add ProgramArguments: string /Applications/ADPassMon.app/Contents/MacOS/ADPassMon" /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
chown -R $3 /Users/$3/Library/LaunchAgents
chmod 644 /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
echo "Created LaunchAgent to launch ADPassMon on login"

#Check for org.pmbuko.ADPassMon.plist and exit if found
if [ -f /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist ]; then
    echo "org.pmbuko.ADPassMon.plist exists"
    exit 0
else
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon expireAge -int 365
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Your password needs to be at least 12 characters long and cannot be a password you've used previously."
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
    chown $3 /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist
    echo "Created /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist"
fi

Treger
Contributor

Thanks Guys, much appreciated, what I did in the end was log in as a user, configure ADPassMon and then use the exact .plist to create the config profile, that is now working perfectly. @cbrewer thanks very much of the script, I will use the config for now but I do prefer the scripting way of doing this type of thing and thanks to bpavlov for the Tim Sutton website, works a treat!

bentoms
Release Candidate Programs Tester

Hi All,

FWIW.. once I finish with the next release of AutoCasperNBI I'm going to give ADPassMon some love.

The forks will be merged, I also want to have an option to create a PKG from within the app of itself with a LaunchAgent as well as generate a profile for the settings.

That should resolve most of these issues I hope!

Any other ideas, please post here

Treger
Contributor

<----- insert praising hands emoticon here :)

khey
Contributor

Hi @cbrewer,

Sorry for bringing up an old thread,

Just wondering why on your script the LaunchAgent is being re-created everytime the user login?

Can't I just put the adpasmon launchagent in /Library/LaunchAgents so it starts irrespective of who log in?

Thanks

#!/bin/sh
#Check for existing launch agent 
if [ -f /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ]; 
then echo "LaunchAgent for ADPassMon already exists. Removing..." 
rm /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist 
fi

bentoms
Release Candidate Programs Tester

@khey It certainly can be in /Library/LaunchAgents/ & i'm sure @cbrewer does this now.. (this is an old thread)..

FWIW, the ADPassMon Wiki now has some example LaunchAgents

rm10245
New Contributor

Implemented this today using ADPassMon and KerbMinder using information from this thread.

Didn't see this documented anywhere but for those using KerbMinder and plist you can add the following to automatically enable KerbMinder.

defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon enableKerbMinder -bool true