Problem with Password Policy on Mac (AD Bound)

Ok,

So I have found a few things (my knowledge of Microsoft AD is really low :) )

1. You can only have 1 password policy per domain.
2. There is something called "fine grained password policies"

With the second option you can create a different password policy and make it a higher priority..

That being said... I have now an active test policy. Next step is notification but I already found some useful scripts on jamfnation.

Hi,

OS X will prompt the user that their password is expiring, and to actually change the password if necessary, all at the login window.

This works well if the devices have a connection to the domain controller at the login Window.

If they don't, it gets a bit more complex as the user is logging in to a cached account and doesn't actually "see" the domain controller until after they have authenticated.

Free tools like ADPassMon will help with this.

@davidacland Hi,

I have read this but I have tested this and I do not get this notification. This is the reason why I am looking for a notification script.

What is the network setup? Wireless or wired? 802.1X? Are you using cached / mobile accounts?

@davidacland The machine is wired connected no 802.1x and we are using Mobile accounts.

Thanks for the help

YMMV, but here is my experience with it: once you have your policy created, link it to the correct OU. It more than likely should be deployed to the OU with the computer objects (can vary depending how your OU structure is set up). Next, configure the security filtering for the policy to define who the policy gets applied to (open the Group Policy Management Console, left click the policy on the OU, go to the Scope tab). In most cases I've seen, it is scoped to 'Authenticated Users'. As far as the user accounts on the Mac itself, it seems to only pick up the policy for AD-authenticated users (doesn't work for local users). If you go to the user list, a user will be listed as 'Managed' if it is an AD user.

One of the problems I have encountered (and haven't been able to fix) with using this type of setup, if a person changes their password on the Mac (using the popup prompts), the password does not usually save up to AD. Obviously this causes problems with un-synced passwords and can be a deal-breaker in some environments.

Apple Enterprise Connect app helped us solve the issue.

https://jamfnation.jamfsoftware.com/discussion.html?id=14930

We have a password policy and one thing that happens when they reset the password on the iMac is they need to also change the keychain password after resetting the AD password as it does not change the keychains. I usually have the users change the keychain also. If you dont the login and a few other keychains pop up on login. Just something to keep in mind

Ok,

So I have managed to have a fine grained password policy active. I can see (with scripting) that my password is expiring. I do not see any apple notifications whatsoever....

So now I will create a script which will notify the user, once a day, about the expiring password. I shall make a action where the user is automatically redirected to the User Account PrefPane for changing his/her password.

I believe in that way the KeyChain password is also updated.
Will have to wait for test results :)

@rblaas Are you on the macadmins.org Slack?

I would be very interested in seeing your script to see if I can add it to ADPassMon.

@bentoms No I am not..

I can pasted the script here. (be aware that the script is not fully tested yet and still work in progress)

@rblaas To signup to Slack go to: http://macadmins.org.

There's a channel for ADPassMon, else paste it here or open an [issue for ADPassMon]()https://github.com/macmule/ADPassMon/issues).

I'm curious as the detection when set via GPO is not in ADPassMon yet, so would like to see what you're doing with the goal to add it to ADPassMon.

@bentoms

I am not sure if we understand each other..

ADPassMon works. But I want a different notification.

I want A notification which a user must read. As in make a choice weather to change password or do it later.

So now I have done this via a bash script (found on jamfnation) and a cacoadialog.

My next step is to see if I can extract the "msDS-UserPasswordExpiryTimeComputed" from the AD.. This value in UNIX format is the exact expire date for the password. I can extract this via a windows (bleh) computer but I want this to be done on a mac/linux .

here is my script so far.. (sorry for the dutch messages)

#!/bin/bash
pwPolicy=7
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
#lastpwdMS=`dscl localhost read /Local/Default/Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2`
lastpwdMS=`dscl /Active Directory/MEDIADIRECTORY/All Domains/ read /Users//$USER pwdLastSet | /usr/bin/awk '/pwdLastSet:/{print $2}'`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
CD="/Library/Application Support/JAMF/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"

function reminder { 
    rv=`"$CD" msgbox --no-newline --text "Je inlog wachtwoord verloopt binnen $daysremaining dag(en)." 
        --informative-text "Wil je nu je wachtwoord wijzigen?" 
        --button1 "Wijzig Wachtwoord" 
        --button2 "Later"`
    if [ "$rv" == "1" ]; then
        open /System/Library/PreferencePanes/Accounts.prefPane
        echo "User Choose 'Wijzig Wachtwoord'"
        exit 0
    elif [ "$rv" == "2" ]; then
        echo "User Choose 'Later'"
        exit 0
    fi
}


if [[ "$daysremaining" -gt 14 ]]; then
    echo "Password expiration greater than 2 weeks"
    exit 0
elif [[ "$daysremaining" -lt 0 ]]; then
    echo "Password is expired!!"
    exit 0
elif [ "$daysremaining" -eq 14 ]; then
    reminder
elif [ "$daysremaining" -le 7 ]; then
    reminder
fi

@rblaas Oh, sorry.. people had advised that settings password expiration via GPO was not working with ADPassMon.

But I have not been in an environment setup like that. So was interested in your script.

As for the ms-DS time computed, this is where ADPassMon grabs it.

Hope that helps.

@bentoms Thanks for the tip!! Most valuable !!

Ok,

So I have changed a few things in my script.

First I am checking in Active Directory what the Expiry date is.. This gives me some flexibility when there are multiple password policy's
So additionally I am checking if AD is accessible. If not, just exit. When AD is accessible check the date and give a notice if change is in near future. I chose at 14 days and every day from 7 days.

For what is worth... here is my script: (there are some dutch lines in it.. if you need help with them just ask)
!! Be aware that I used a customized Icon in CocoaDialog. !!

#!/bin/bash

DATE=`date +"%Y%m%d"` 
DATIME=`date +"%Y-%m-%d %H:%M:%S"`
DAY=`date +"%A"`
SCRIPT=`basename "${0}"`

CD="/Library/Application Support/JAMF/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
DOMAIN="YOUR DOMAINNAME"


## Get logged in username
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
echo "[$SCRIPT] [$DATIME] Checking Password Expiry Date for ${loggedInUser}"

## Can we query Active Directory?
echo "[$SCRIPT] [$DATIME] Checking Active Directory Connectivity"
domainAns=`dscl /Active Directory/${DOMAIN}/All Domains -read /Users/${loggedInUser} dsAttrTypeNative:userPrincipalName`
if [[ $domainAns =~ "is not valid" ]]; then
    echo "[$SCRIPT] [$DATIME] Active Directory not Accessible. Exiting..."
    exit 1
else
    echo "[$SCRIPT] [$DATIME] Active Directory Accessible"
fi


## Get Expiry date (Windows format!!) from logged in User
PassExpiryDateWindows=`dscl /Active Directory/${DOMAIN}/All Domains/ read /Users//$loggedInUser msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
PassExpiryDateUnix=`expr $PassExpiryDateWindows / 10000000 - 11644473600`

## Convert Unix date to Readable date
PassExpiryDate=`date -r $(expr $PassExpiryDateWindows / 10000000 - 11644473600) +"%d %B %Y %H:%M"`

echo "[$SCRIPT] [$DATIME] Password Expiry Date = ${PassExpiryDate}"

## Get Today in Unix
TodayUnix=`date "+%s"`

## Calculate difference between PassExpiry and Today Dates (in Unix format)
DiffUnix=`expr $PassExpiryDateUnix - $TodayUnix`

## Convert Difference in days
DiffDays=`expr $DiffUnix / 86400`

echo "[$SCRIPT] [$DATIME] ${DiffDays} Until password expiry."

function reminder { 
    rv=`"$CD" msgbox --no-newline --text "Je inlog wachtwoord verloopt op: $PassExpiryDate" 
        --title "Wachtwoord verloopt over ${DiffDays} dag(en)." 
        --informative-text "Wil je nu je wachtwoord wijzigen?" 
        --icon "keychain" 
        --button1 "Wijzig Wachtwoord" 
        --button2 "Later"`
    if [ "$rv" == "1" ]; then
        open /System/Library/PreferencePanes/Accounts.prefPane
        echo "[$SCRIPT] [$DATIME] User Chose 'Wijzig Wachtwoord'"
        exit 0
    elif [ "$rv" == "2" ]; then
        echo "[$SCRIPT] [$DATIME] User Chose 'Later'"
        exit 0
    fi
}


if [[ "$DiffDays" -gt 14 ]]; then
    echo "Password expiration greater than 2 weeks"
    exit 0
elif [[ "$DiffDays" -le 0 ]]; then
    echo "Password is expired!!"
    exit 0
elif [ "$DiffDays" -eq 14 ]; then
    reminder
elif [ "$DiffDays" -le 7 ]; then
    reminder
fi

is this still working in Sierra and HS?