login password expiry prompt

keywordkid
New Contributor

The Background: I'm an absolute newbie to everything Apple and Casper! We are on a new Casper setup running iMacs in a primarily Windows domain, I am a Computer Aided Design Manager with reasonable IT knowledge and background but all in Windows. We have had our Jumpstart and are gradually attempting to move users from Windows Bootcamp to Mac OS with Parallels.

The stumbling blocks are:
Annoying Password Expiry Prompt at every login - ours are set by policy to be changed every 28 days.

We also get problems with the 'keychain' passwords what is the best way of handling these?

Any advice will be most gratefully received.

8 REPLIES 8

brent_buckner
New Contributor

We, too, were running into some minor annoyances with the password expiration notice prompt at the login window. If you want to make adjustments as to when this notification appears, I'd recommend the following:

Create a policy with any trigger, executed once per computer. Scope it to the computers (I'm guessing all managed clients) where you want the change applied. Then, in the advanced tab, in the "Run Command:" field, type the following:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays -int x

Where x is equal to the number of days in advance you want the prompt to appear. Type 0 if you never want it to appear, or 5 for five days before password expiration, for example.

This will make a change using the "defaults" command, which is used to read and write specified plists, which host nearly all configurations/preference settings on your Mac client. Definitely read up on this.

In this case, we're not using MCX or a config profile, because there's not an option in the UI for the user the revert this setting, that I'm aware. Anyone correct me if this doesn't seem right.

As for your keychain woes, what are you specifically running into?

-Brent

Millertime
New Contributor III

Thanks Brent! That helped me out!

keywordkid
New Contributor

Thanks Brent,

Your password prompt suggestion looks successful from initial testing, Cheers!

As for the keychain; specifically it causes problems with proxy connection and particularly for myself and IT responders as it may be up to two or three password changes before we return to a particular machine and we can't continue unless we remember the previous used password. It is an inherited problem of our IT policy restricting passwords to a maximum of 28 days. I also get bombarded with various popups such as "quicklookconfig wants to use your confidential information stored in i.p. ....." I would have posted an image but I couldn't work out how :(

Mark

brent_buckner
New Contributor

It sounds like a tricky one, Mark.

If I'm not mistaken, it sounds that your proxy server isn't kerberized in a way that the Mac clients can utilize Kerberos for single-sign on.

The prompts that you're seeing are probably related to AuthBrokerAgent (a feature starting in Lion) trying to integrate the proxy as best as it can by saving your proxy credentials and allowing specific applications to use these credentials for the proxy.

If you open /Applications/Utilities/Keychain Access.app, and look in the login keychain, do you see a lot of items of the Kind "Internet password" with the IP of the proxy server?

Furthermore, are your Macs bound to Active Directory? Are you having trouble logging in at all when you don't remember the old password? Are users changing their password from a Windows-based client?

If your Macs are bound and connected to the corporate network, you should be able to login with the current password (as well as change your password from those clients), and when prompted by the Keychain, you should have the option to create a new login keychain (this would probably be best if proxy credentials are getting cached and not updated with the new passwords).

Let me know if this doesn't make sense - or if you're simply looking for an alternate solution.

Hope this helps!
Brent

keywordkid
New Contributor

Brent,

Thanks for the response.

In answer:

If you open /Applications/Utilities/Keychain Access.app, and look in the login keychain, do you see a lot of items of the Kind "Internet password" with the IP of the proxy server?

- Yes, this is the what I see.

Furthermore, are your Macs bound to Active Directory? Are you having trouble logging in at all when you don't remember the old password? Are users changing their password from a Windows-based client?

- Yes to both of these questions, infact the binding has been somewhat of an issue, we experience long delays in binding to the network in our satelite offices (which I am in one of) the login process cannot be started until the 'red dot' disengages to advise the network is connected, this takes up to 5 minutes.

I'm only partly following you as it is an area I'm not normally involved in but I have passed your comments on to my IT colleague for feedback, in response to your last we are open to any suggestions if there is a better alternative to the keychain issues we'd be up for trying it.

Mark.

brent_buckner
New Contributor

The issues that you're describing unfortunately haunt a lot Windows-based enterprise environments, from what I've encountered.

I hope my aforementioned tips are able to help your IT colleague diagnose some of the issues you're facing. As far as providing a cure, it can start to get very specific to your institution (i.e. how your proxy is setup, what firewall rules, dns, etc.), especially since you're working from satellite offices. Your best bet is probably to work closely with someone from IT (which it sounds like you're doing)

Maybe someone else here has some more advice.

Let me know if you have any other questions!
Brent

tlarkin
Honored Contributor

You can take a look at the pwpolicy binary. Not sure how much it will help your situation as I haven't really tested it thoroughly myself.

pwpolicy
Usage: pwpolicy [-h]
Usage: pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername]
                [-n nodename] command command-arg
Usage: pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername]
                [-n nodename] command "policy1=value1 policy2=value2 ..."

  -a       name of the authenticator
  -c       name of the computer account to modify
  -p       password (omit this option for a secure prompt)
  -u       name of the user account to modify
  -h       help
  -n       directory-node to search, uses search node by default
  -v       verbose

         -getglobalpolicy   Get global policies.
                            Specify a user if the password server
                            is not configured locally.
         -setglobalpolicy   Set global policies
               -getpolicy   Get policies for a user
   --get-effective-policy   Gets the combination of global and user policies that apply to the user.
               -setpolicy   Set policies for a user
         -setpolicyglobal   Set a user account to use global policies
             -setpassword   Set a new password for a user
              -enableuser   Enable a shadowhash user account that was disabled
                            by a password policy event.
      -getglobalhashtypes   Returns a list of password hashes stored on disk by default.
      -setglobalhashtypes   Edits the list of password hashes stored on disk by default.
            -gethashtypes   Returns a list of password hashes stored on disk for
                            a user account.
            -sethashtypes   Edits the list of password hashes stored on disk for
                            a user account.

If this ends up helpful please post back so others can benefit from it as well.

Thanks,
Tom

keywordkid
New Contributor

Tom

Can I clarify? - Your suggested solution is in reference to our keychain problems and not the password expiry prompt?

I guess I should have made separate posts for each to avoid any confusion!

Many thanks - Mark.