Posted on 05-08-2018 09:40 PM
Hey all,
I made a BASH Script to check when a user's AD Password is going to expire (AD Bound machines only) and prompt the user to change if it's less than a number.
Check it out: https://github.com/DJStuey/PasswordChecker
Feedback Welcome
BASH script in JSS, triggered with Policy to launch Once per day on Recurring Checkin. JamfHelper window only pops up when the Expiry is less than the Notify Variable.
Hope this helps someone!
Posted on 05-08-2018 11:26 PM
This is very similar to something I created a while ago, although I notice that this script simply directs the users to the accounts preferences pane, which I disable for users.
The code I use for this bit goes:
...blahblahblah...
result=$(dscl "${SEARCHPATH}" passwd "/Users/${USER}" "${CURPASSWORD}" "${NEWPASSWORD}")
result=`echo ${result} | awk '{ print $4 }'`
#result=""
#eDSAuthFailed
#eDSAuthMethodNotSupported
#eDSAuthPasswordQualityCheckFailed
if [ "$result" == "eDSAuthPasswordQualityCheckFailed" ]; then
osascript -e 'Tell application "System Events" to display alert "(eDSAuthPasswordQualityCheckFailed):
New password has failed complexity requirements. It is most likely that your password had already been changed in the past 5 days, or is the same as one of your previous 24 passwords." as warning'
exit 1
elif [ "$result" == "eDSAuthMethodNotSupported" ] || [ "$result" == "eDSAuthFailed" ]; then
osascript -e 'Tell application "System Events" to display alert "('$result'):
Failed validation. It is most likely that you entered your current password incorrectly, or you are not logged in with your Petermac account." as warning'
exit 1
elif [ "$result" != "" ]; then
osascript -e 'Tell application "System Events" to display alert "('$result'):
Unhandled error. Please contact IT Helpdesk." as warning'
exit 1
fi
It could probably do with some tweaking, but if you wanted to keep everything to one script this would be the way.
Posted on 05-09-2018 03:52 AM
@Stuey I like it! I tried it out on my system and it works like a champ. However, when I ran it from Terminal to test it, I keep getting the following errors after it finishes running - regardless of which button I click on:
./passwordnag.sh: line 80: syntax error near unexpected token `fi'
./passwordnag.sh: line 80: `fi'
Unfortunately my script debugging skills suck for things like this.
Posted on 05-09-2018 04:05 AM
Pop a #
in front of the elif
on line 78 to comment it out.
it doesn't do anything and is there for a time in the future where I want to have logs to prove to Users that "Yes you did in fact get told your password was expiring, but you clicked ignore 14 times"
I've updated the Github repo to add the extra #
Posted on 05-09-2018 07:55 AM
@Aaron Could you share the rest of your password reset script? The error handling looks great! I would like to see the whole script, as we would like to be able to not use the users preferences pane as well.
Thanks,
Randy
Posted on 05-09-2018 04:11 PM
I must be doing something wrong.
I tried the script but I get an obscene number. "Your password is due to expire in -152420 Days.'
What am I doing wrong?
Disclaimer: I have very limited experience with bash/bash scripting.
Posted on 05-10-2018 05:54 AM
@ladiesman1150 You are probably running the script while logged in as a non-AD user. I get that same thing when I run it as the local admin account. That's because there is no expiration on local accounts (in normal situations).
@Stuey do you think there's a way to exclude local accounts? Like if the UID is less than 1000?
Posted on 05-10-2018 12:09 PM
@ladiesman1150 if you run it on a local account it won’t work. AD accounts and AD Bound machines only.
@AVmcclint totally possible. I’ll look at adding that logic this morning. (I’m in Australia)
Posted on 05-10-2018 03:23 PM
@ladiesman1150 @AVmcclint Local Account Logic now Added. Changes pushed to GitHub repo.
Script will Echo "Not a Network User Account. Exiting." to console if UID < 1000
Hope that helps
Posted on 05-10-2018 03:25 PM
@Aaron I might look at adding that in a later iteration. It's more about solving some problems in my last 2 weeks in this role. HAHA.
I may tinker further in future to make it work with CocoaDialog or even Pashua.
Posted on 05-10-2018 03:32 PM
This is what makes Jamf Nation so awesome! Thanks for posting.
Posted on 05-10-2018 04:05 PM
@Stuey My account is an ad account.
Posted on 05-10-2018 05:25 PM
interesting.... that indicates there might be an AD Connection issue then. As to get the negative number, dscl must be returning either 0 or failing to hit your Active Directory.
Have you confirmed that the Domain variable is set to your actual Active Directory Domain?
You can get it from the "Login Options" pane of System Preferences -> Users & Groups, it'll be next to the "Network Account Server" field at the bottom. (Not pictured here because I'm running on an experimental, non AD Bound machine)
Posted on 05-10-2018 06:09 PM
I've added some Error Checking to the section that requires AD.
This also has the benefit of being able to alert you/Users if their AD Bind is busted.
Re-clone the Github repo for the latest changes.
Posted on 05-11-2018 03:48 AM
@ladiesman1150 is the path to your Active directory users the same as in the script? Mine is /Active Directory/MYCOMPANY/All Domains/Users
If you run dscl
in Terminal and navigate the tree, does yours match up? If your path to Users is different, then you may need to modify that line in the script to match.
Posted on 05-13-2018 03:41 PM
I've updated the script to AutoDetect the domain shortname. This should help.
There MAY be a need to change the dscl lookup path in the script. I'm looking at scripting that a little more.
Posted on 09-14-2018 12:42 PM
disregard
Posted on 02-08-2019 10:56 AM
good stuff. I trimmed it at the user interface line and made an EA out of it to scope to people with up coming passwords. Also helped when finding people who recently changed their password to see if they are still having the 10.14 FV not syncing the current password issue.
Posted on 03-11-2019 08:04 AM
Thanks work good to me!!
Posted on 01-23-2020 12:16 PM
This looks like something I would totally love to use, only question is how do you add the logo to every machine in the fleet?
Otherwise I would need to remove the logopath
variable to only show text correct?
Posted on 01-26-2020 11:32 PM
@JarvisUno
"...how do you add the logo to every machine in the fleet?"
Create a package with the logo and push it out.
Regards.
Posted on 01-27-2020 06:07 AM
@Mauricio Thanks, that was a HUGE help, I figured it out on the same day.
Thanks.
Posted on 12-03-2020 05:46 AM
Been utilizing this and it works great, but recently with sending everyone work from home I've had to disable it as it was error'ing everyday with Check the AD Bindings.
Is there a way to add a skip if the computer is not connected to our VPN?
Posted on 12-03-2020 11:28 PM
@josephfthompson3 a quick check would be a ping to the domain server. Following hkabik script you could add this at the beginning of your script.
DomainForestName=$(echo show com.apple.opendirectoryd.ActiveDirectory | scutil | grep DomainForestName | awk '{print $3}')
if ping -o -q -c 1 "$DomainForestName" &> /dev/null; then
echo "Can reach domain"
else
echo "Cannot reach domain"
exit 2
fi
Hope this helps.
Regards