I made a thing! Script to check Active Directory Password Expiry and Launch JamfHelper Prompt user to change

Stuey
New Contributor III

Hey all,

I made a BASH Script to check when a user's AD Password is going to expire (AD Bound machines only) and prompt the user to change if it's less than a number.

Check it out: https://github.com/DJStuey/PasswordChecker

Feedback Welcome
df69f34134744111b62fa790ca1a7e27

BASH script in JSS, triggered with Policy to launch Once per day on Recurring Checkin. JamfHelper window only pops up when the Expiry is less than the Notify Variable.

Hope this helps someone!

23 REPLIES 23

Aaron
Contributor II

This is very similar to something I created a while ago, although I notice that this script simply directs the users to the accounts preferences pane, which I disable for users.

The code I use for this bit goes:

...blahblahblah...
result=$(dscl "${SEARCHPATH}" passwd "/Users/${USER}" "${CURPASSWORD}" "${NEWPASSWORD}")
result=`echo ${result} | awk '{ print $4 }'`
#result=""
#eDSAuthFailed
#eDSAuthMethodNotSupported
#eDSAuthPasswordQualityCheckFailed
if [ "$result" == "eDSAuthPasswordQualityCheckFailed" ]; then
    osascript -e 'Tell application "System Events" to display alert "(eDSAuthPasswordQualityCheckFailed):
New password has failed complexity requirements. It is most likely that your password had already been changed in the past 5 days, or is the same as one of your previous 24 passwords." as warning'
    exit 1
elif [ "$result" == "eDSAuthMethodNotSupported" ] || [ "$result" == "eDSAuthFailed" ]; then
    osascript -e 'Tell application "System Events" to display alert "('$result'):
Failed validation. It is most likely that you entered your current password incorrectly, or you are not logged in with your Petermac account." as warning'
    exit 1
elif [ "$result" != "" ]; then
    osascript -e 'Tell application "System Events" to display alert "('$result'):
Unhandled error. Please contact IT Helpdesk." as warning'
    exit 1
fi

It could probably do with some tweaking, but if you wanted to keep everything to one script this would be the way.

AVmcclint
Valued Contributor III

@Stuey I like it! I tried it out on my system and it works like a champ. However, when I ran it from Terminal to test it, I keep getting the following errors after it finishes running - regardless of which button I click on:

./passwordnag.sh: line 80: syntax error near unexpected token `fi'
./passwordnag.sh: line 80: `fi'

Unfortunately my script debugging skills suck for things like this.

Stuey
New Contributor III

Pop a # in front of the elif on line 78 to comment it out.

it doesn't do anything and is there for a time in the future where I want to have logs to prove to Users that "Yes you did in fact get told your password was expiring, but you clicked ignore 14 times"

I've updated the Github repo to add the extra #

rbean
New Contributor III

@Aaron Could you share the rest of your password reset script? The error handling looks great! I would like to see the whole script, as we would like to be able to not use the users preferences pane as well.

Thanks,
Randy

upworkadmin
New Contributor

I must be doing something wrong.

I tried the script but I get an obscene number. "Your password is due to expire in -152420 Days.'

What am I doing wrong?

Disclaimer: I have very limited experience with bash/bash scripting.

AVmcclint
Valued Contributor III

@ladiesman1150 You are probably running the script while logged in as a non-AD user. I get that same thing when I run it as the local admin account. That's because there is no expiration on local accounts (in normal situations).

@Stuey do you think there's a way to exclude local accounts? Like if the UID is less than 1000?

Stuey
New Contributor III

@ladiesman1150 if you run it on a local account it won’t work. AD accounts and AD Bound machines only.

@AVmcclint totally possible. I’ll look at adding that logic this morning. (I’m in Australia)

Stuey
New Contributor III

@ladiesman1150 @AVmcclint Local Account Logic now Added. Changes pushed to GitHub repo.

Script will Echo "Not a Network User Account. Exiting." to console if UID < 1000

Hope that helps

Stuey
New Contributor III

@Aaron I might look at adding that in a later iteration. It's more about solving some problems in my last 2 weeks in this role. HAHA.

I may tinker further in future to make it work with CocoaDialog or even Pashua.

howie_isaacks
Valued Contributor

This is what makes Jamf Nation so awesome! Thanks for posting.

upworkadmin
New Contributor

@Stuey My account is an ad account.
c81fcb40a5634fb086636a1bd532f06c

Stuey
New Contributor III

interesting.... that indicates there might be an AD Connection issue then. As to get the negative number, dscl must be returning either 0 or failing to hit your Active Directory.

Have you confirmed that the Domain variable is set to your actual Active Directory Domain?
You can get it from the "Login Options" pane of System Preferences -> Users & Groups, it'll be next to the "Network Account Server" field at the bottom. (Not pictured here because I'm running on an experimental, non AD Bound machine)

52f570ce38874fd28af1d28ea45a81f6

Stuey
New Contributor III

I've added some Error Checking to the section that requires AD.
This also has the benefit of being able to alert you/Users if their AD Bind is busted.

Re-clone the Github repo for the latest changes.

4b911da72e684b9ba83c12c60548e20c

AVmcclint
Valued Contributor III

@ladiesman1150 is the path to your Active directory users the same as in the script? Mine is /Active Directory/MYCOMPANY/All Domains/Users If you run dscl in Terminal and navigate the tree, does yours match up? If your path to Users is different, then you may need to modify that line in the script to match.

Stuey
New Contributor III

I've updated the script to AutoDetect the domain shortname. This should help.
There MAY be a need to change the dscl lookup path in the script. I'm looking at scripting that a little more.

upworkadmin
New Contributor

disregard

swhps
Contributor III

good stuff. I trimmed it at the user interface line and made an EA out of it to scope to people with up coming passwords. Also helped when finding people who recently changed their password to see if they are still having the 10.14 FV not syncing the current password issue.

Itzik_Moshaof
New Contributor

Thanks work good to me!!

JarvisUno
Contributor II

This looks like something I would totally love to use, only question is how do you add the logo to every machine in the fleet?

Otherwise I would need to remove the logopath variable to only show text correct?

Mauricio
Contributor II

@JarvisUno "...how do you add the logo to every machine in the fleet?"
Create a package with the logo and push it out.
Regards.

JarvisUno
Contributor II

@Mauricio Thanks, that was a HUGE help, I figured it out on the same day.

Thanks.

josephfthompson
New Contributor

Been utilizing this and it works great, but recently with sending everyone work from home I've had to disable it as it was error'ing everyday with Check the AD Bindings.
Is there a way to add a skip if the computer is not connected to our VPN?

Mauricio
Contributor II

@josephfthompson3 a quick check would be a ping to the domain server. Following hkabik script you could add this at the beginning of your script.

DomainForestName=$(echo show com.apple.opendirectoryd.ActiveDirectory | scutil | grep DomainForestName | awk '{print $3}')

if ping -o -q -c 1 "$DomainForestName" &> /dev/null; then
  echo "Can reach domain"
else
  echo "Cannot reach domain"
  exit 2
fi

Hope this helps.
Regards