Change AD password from a local computer login

By "local user" do you mean a truly local account, i.e, a 5xx UID account not tied at all to AD, or a local cached mobile account, tied to AD?
I'm assuming you mean the former, but just wanted to be clear on which it is.

yes, I mean a truly local account not a cached mobile account, thanks for helping me clarify!

maybe a jamfhelper dialog box where an user inputs the old and new password that passes to a dscl command script? I think I will play along in this direction.... I can bind the macs to our AD, but our students are currently using auto login local accounts to use the computers.

don't see any text input fields in jamfhelper.. nm

OK, yeah. Hmm, that's tough. We use an internally hosted site where users can log in with their current AD credentials and change any of their network account passwords that are linked to their main account.
I would think that would be the most logical way to do it when trying to change it from outside an AD account on their system, but that's up to your organization to build something like that if it doesn't already exist.
Otherwise, its not going to be easy or even possible to do really.

ldapsearch can be used to query AD on the fly, even from a system not bound to AD, and use credentials to look up account info, but I'm not sure its capable of changing the password for an account. I think its strictly "search", hence the name.

Actually on some other post on here somewhere, someone mentioned that dscl can actually be used to modify AD records, although I've never used it in that way. Generally I use dscl to modify local settings or query AD for information.
But if its possible to do that, you could, say, script something that would ask for user ID (AD), then the current AD password, use ldapsearch to confirm the credentials (to make sure its an authorized change) then ask for the new password, and finally, use dscl to change the password to the new one.

Sounds feasible, but I think its going to be tricky to get that working correctly.

As for user input, you'll want to look at cocoaDialog, not jamfHelper.

that does seem like a better approach, thanks mm270. Maybe I should just push to have the students log in with their ad creds...... :)

awesome, thanks for the tip on cocoadialog.... that is a piece I was looking for as well!

I've never used it, and i can't test it right now, but maybe

kpasswd $domainuser

does what you want

If you run an exchange mail server you can have them change it through webmail. sounds like you just need a password portal of some sort.

ahh and the next piece falls into place... thanks, Chris!!

@thanzig we are running exchange webmail. the issue I have with using that is our students do not have exchange email accounts so they are unable to authenticate in far enough to use the change password function. I am not our mail admin, is it possible to allow login to change a password but not allow email?

i'm not an exchange admin but i think the answer is no. we have some users in a similar situation (AD account but no email) remote into a terminal server and they can change their password that way. tough one, i would explore the kpassword option.

I am very interested in the cocoaDialog and kpasswd direction. I will post back as I move forward with this

Hi @pat.best,

So the accounts are local to the Mac.. But the users authenticate to AD for things such as email?

If so, I might bug you when looking at the next iteration of my ADPassMon fork.

Anyways, another option could be: https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27

This will send an email warning of Password expiry & direct people to change password via OWA.

@bentoms sorry for the massive delay... I totally lost track of this post. To answer your question, yes our staff use a local account on the mac for login ( I am trying to change this to AD ) and use AD to access wireless, file shares, email, etc. Our current email system is set to send out password expiry emails to staff members which is great for staff members. The other half of my issue has to do with students that do not have email accounts. Our email admin is currently working on an internally hosted site for password changes similar to what mm270 noted earlier while I am exploring other possibilites. I am interested in ADPassMon so let me know if there is anything you would like me to try. I am not currently deploying this and have just begun testing in my environment. Thanks!!

is it they have no email at all or is it email is being handle by another service?

A portion of our students have access to gmail.