Posted on 06-06-2016 01:47 AM
Anyone care to help me out?
I am flabbergasted at the moment as I cannot seem to get a test working.
I am trying to test how the mac is reacting to an password expiring.
So I have created a separated OU in our AD and added the computer and User in this group. (have no idea which I needed so I added both).
Created an GPO with the Password policy (among a expire (max age) of 1 day for testing. )
I can see the policy is been set (have also tested on a windows machine) but when I check the password expire date it is still set to Never... (the checkbox on the account is NOT set)
So I must be doing something wrong.
Hopefully there is someone who can help me understand this...
Thanks in advance!
Posted on 06-06-2016 05:30 AM
Ok,
So I have found a few things (my knowledge of Microsoft AD is really low :) )
With the second option you can create a different password policy and make it a higher priority..
That being said... I have now an active test policy. Next step is notification but I already found some useful scripts on jamfnation.
Posted on 06-06-2016 06:30 AM
Hi,
OS X will prompt the user that their password is expiring, and to actually change the password if necessary, all at the login window.
This works well if the devices have a connection to the domain controller at the login Window.
If they don't, it gets a bit more complex as the user is logging in to a cached account and doesn't actually "see" the domain controller until after they have authenticated.
Free tools like ADPassMon will help with this.
Posted on 06-06-2016 06:40 AM
@davidacland Hi,
I have read this but I have tested this and I do not get this notification. This is the reason why I am looking for a notification script.
Posted on 06-06-2016 06:46 AM
What is the network setup? Wireless or wired? 802.1X? Are you using cached / mobile accounts?
Posted on 06-06-2016 07:04 AM
@davidacland The machine is wired connected no 802.1x and we are using Mobile accounts.
Thanks for the help
Posted on 06-06-2016 09:13 AM
YMMV, but here is my experience with it: once you have your policy created, link it to the correct OU. It more than likely should be deployed to the OU with the computer objects (can vary depending how your OU structure is set up). Next, configure the security filtering for the policy to define who the policy gets applied to (open the Group Policy Management Console, left click the policy on the OU, go to the Scope tab). In most cases I've seen, it is scoped to 'Authenticated Users'. As far as the user accounts on the Mac itself, it seems to only pick up the policy for AD-authenticated users (doesn't work for local users). If you go to the user list, a user will be listed as 'Managed' if it is an AD user.
One of the problems I have encountered (and haven't been able to fix) with using this type of setup, if a person changes their password on the Mac (using the popup prompts), the password does not usually save up to AD. Obviously this causes problems with un-synced passwords and can be a deal-breaker in some environments.
Posted on 06-06-2016 10:18 AM
Apple Enterprise Connect app helped us solve the issue.
https://jamfnation.jamfsoftware.com/discussion.html?id=14930
Posted on 06-06-2016 12:44 PM
We have a password policy and one thing that happens when they reset the password on the iMac is they need to also change the keychain password after resetting the AD password as it does not change the keychains. I usually have the users change the keychain also. If you dont the login and a few other keychains pop up on login. Just something to keep in mind
Posted on 06-06-2016 11:58 PM
Ok,
So I have managed to have a fine grained password policy active. I can see (with scripting) that my password is expiring. I do not see any apple notifications whatsoever....
So now I will create a script which will notify the user, once a day, about the expiring password. I shall make a action where the user is automatically redirected to the User Account PrefPane for changing his/her password.
I believe in that way the KeyChain password is also updated.
Will have to wait for test results :)
Posted on 06-07-2016 02:48 AM
@rblaas Are you on the macadmins.org Slack?
I would be very interested in seeing your script to see if I can add it to ADPassMon.
Posted on 06-07-2016 02:50 AM
@bentoms No I am not..
I can pasted the script here. (be aware that the script is not fully tested yet and still work in progress)
Posted on 06-07-2016 03:38 AM
@rblaas To signup to Slack go to: http://macadmins.org.
There's a channel for ADPassMon, else paste it here or open an [issue for ADPassMon]()https://github.com/macmule/ADPassMon/issues).
I'm curious as the detection when set via GPO is not in ADPassMon yet, so would like to see what you're doing with the goal to add it to ADPassMon.
Posted on 06-07-2016 03:53 AM
I am not sure if we understand each other..
ADPassMon works. But I want a different notification.
I want A notification which a user must read. As in make a choice weather to change password or do it later.
So now I have done this via a bash script (found on jamfnation) and a cacoadialog.
My next step is to see if I can extract the "msDS-UserPasswordExpiryTimeComputed" from the AD.. This value in UNIX format is the exact expire date for the password. I can extract this via a windows (bleh) computer but I want this to be done on a mac/linux .
here is my script so far.. (sorry for the dutch messages)
#!/bin/bash
pwPolicy=7
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
#lastpwdMS=`dscl localhost read /Local/Default/Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2`
lastpwdMS=`dscl /Active Directory/MEDIADIRECTORY/All Domains/ read /Users//$USER pwdLastSet | /usr/bin/awk '/pwdLastSet:/{print $2}'`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
CD="/Library/Application Support/JAMF/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
function reminder {
rv=`"$CD" msgbox --no-newline --text "Je inlog wachtwoord verloopt binnen $daysremaining dag(en)."
--informative-text "Wil je nu je wachtwoord wijzigen?"
--button1 "Wijzig Wachtwoord"
--button2 "Later"`
if [ "$rv" == "1" ]; then
open /System/Library/PreferencePanes/Accounts.prefPane
echo "User Choose 'Wijzig Wachtwoord'"
exit 0
elif [ "$rv" == "2" ]; then
echo "User Choose 'Later'"
exit 0
fi
}
if [[ "$daysremaining" -gt 14 ]]; then
echo "Password expiration greater than 2 weeks"
exit 0
elif [[ "$daysremaining" -lt 0 ]]; then
echo "Password is expired!!"
exit 0
elif [ "$daysremaining" -eq 14 ]; then
reminder
elif [ "$daysremaining" -le 7 ]; then
reminder
fi
Posted on 06-07-2016 04:31 AM
@rblaas Oh, sorry.. people had advised that settings password expiration via GPO was not working with ADPassMon.
But I have not been in an environment setup like that. So was interested in your script.
As for the ms-DS time computed, this is where ADPassMon grabs it.
Hope that helps.
Posted on 06-07-2016 05:50 AM
@bentoms Thanks for the tip!! Most valuable !!
Posted on 06-08-2016 06:09 AM
Ok,
So I have changed a few things in my script.
First I am checking in Active Directory what the Expiry date is.. This gives me some flexibility when there are multiple password policy's
So additionally I am checking if AD is accessible. If not, just exit.
When AD is accessible check the date and give a notice if change is in near future. I chose at 14 days and every day from 7 days.
For what is worth... here is my script: (there are some dutch lines in it.. if you need help with them just ask)
!! Be aware that I used a customized Icon in CocoaDialog. !!
#!/bin/bash
DATE=`date +"%Y%m%d"`
DATIME=`date +"%Y-%m-%d %H:%M:%S"`
DAY=`date +"%A"`
SCRIPT=`basename "${0}"`
CD="/Library/Application Support/JAMF/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
DOMAIN="YOUR DOMAINNAME"
## Get logged in username
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
echo "[$SCRIPT] [$DATIME] Checking Password Expiry Date for ${loggedInUser}"
## Can we query Active Directory?
echo "[$SCRIPT] [$DATIME] Checking Active Directory Connectivity"
domainAns=`dscl /Active Directory/${DOMAIN}/All Domains -read /Users/${loggedInUser} dsAttrTypeNative:userPrincipalName`
if [[ $domainAns =~ "is not valid" ]]; then
echo "[$SCRIPT] [$DATIME] Active Directory not Accessible. Exiting..."
exit 1
else
echo "[$SCRIPT] [$DATIME] Active Directory Accessible"
fi
## Get Expiry date (Windows format!!) from logged in User
PassExpiryDateWindows=`dscl /Active Directory/${DOMAIN}/All Domains/ read /Users//$loggedInUser msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
PassExpiryDateUnix=`expr $PassExpiryDateWindows / 10000000 - 11644473600`
## Convert Unix date to Readable date
PassExpiryDate=`date -r $(expr $PassExpiryDateWindows / 10000000 - 11644473600) +"%d %B %Y %H:%M"`
echo "[$SCRIPT] [$DATIME] Password Expiry Date = ${PassExpiryDate}"
## Get Today in Unix
TodayUnix=`date "+%s"`
## Calculate difference between PassExpiry and Today Dates (in Unix format)
DiffUnix=`expr $PassExpiryDateUnix - $TodayUnix`
## Convert Difference in days
DiffDays=`expr $DiffUnix / 86400`
echo "[$SCRIPT] [$DATIME] ${DiffDays} Until password expiry."
function reminder {
rv=`"$CD" msgbox --no-newline --text "Je inlog wachtwoord verloopt op: $PassExpiryDate"
--title "Wachtwoord verloopt over ${DiffDays} dag(en)."
--informative-text "Wil je nu je wachtwoord wijzigen?"
--icon "keychain"
--button1 "Wijzig Wachtwoord"
--button2 "Later"`
if [ "$rv" == "1" ]; then
open /System/Library/PreferencePanes/Accounts.prefPane
echo "[$SCRIPT] [$DATIME] User Chose 'Wijzig Wachtwoord'"
exit 0
elif [ "$rv" == "2" ]; then
echo "[$SCRIPT] [$DATIME] User Chose 'Later'"
exit 0
fi
}
if [[ "$DiffDays" -gt 14 ]]; then
echo "Password expiration greater than 2 weeks"
exit 0
elif [[ "$DiffDays" -le 0 ]]; then
echo "Password is expired!!"
exit 0
elif [ "$DiffDays" -eq 14 ]; then
reminder
elif [ "$DiffDays" -le 7 ]; then
reminder
fi
Posted on 12-06-2017 05:54 AM
is this still working in Sierra and HS?