Skip to main content

AD password expiration script for macs (launchd item)

      We have been having issues with people forgetting to change their AD passwords on macs because there is no alert mechanism which lets users know that their password might expire soon.
I created a password expiration alert script to remediate this. I wanted the alert to be persistent and hence created a launchd item, which runs the script every 4 hours.
  In my setup, i've put the script in /Library/passchange.sh , and a launchagent in
/Library/LaunchAgents/
You'll need to make sure the script is executable and the launchagent (owned by root:wheel) is not.
TO do this, i created an installer which places both items on the client macs and runs a postflight script to adjust the permissions and load the launchAgent.
  I used Composer to package the install, you can use packages or iceberg.

 As usual, free to use as long as you credit me.
passchange.sh
####################################################
#!/bin/bash
#pass word alert script created by tausif to alert people to change their passwords.
# PasswordChange.sh
ASROOT=${ASROOT:-sudo}

log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1
}
logFile="/private/var/log/passwdchg.log"
# Variables and Functions #
PwdPolicy=90

OSVersion=`sw_vers | grep ProductVersion | cut -c 17-20`
ADcheck=`dscl localhost -list . | grep "Active Directory"`
Domain=`$ASROOT dsconfigad -show | grep "Active Directory Domain" | awk '{print $5}'`
LoggedInUser=`ls -l /dev/console | awk '{print $3}'`
LoggedInUID=`dscl . read /Users/$LoggedInUser UniqueID | awk '{print $2}'`

NetworkLocation=$(
ping -c 2 "corp.fairisaac.com" > /dev/null
if [ $? -eq 0 ]; then
log "Connected to FICO internal network.Checking password expiration";
else
log "Error: Not connected to FICO internal network."
fi
fi
)
if [[ $ADcheck == "Active Directory" && $Domain == "corp.fairisaac.com" && $LoggedInUID -ge 1025 ]]; then
SetDate=`dscl /Active\ Directory/CORP/All\ Domains/ read /Users//$LoggedInUser pwdLastSet | awk '/pwdLastSet:/{print $2}'`
LastSet=`expr $SetDate / 10000000 - 1644473600`
LastSet2=`expr $LastSet - 10000000000`
Time=`date +%s`
TimeSinceSet=`expr $Time - $LastSet2`
DaysSinceSet=`expr $TimeSinceSet / 86400`
DaysLeft=`expr $PwdPolicy - $DaysSinceSet`
if [[ $DaysLeft -le 14 ]];
                 then
                            CHANGE=$(osascript -e 'tell application "System Events" to display dialog "Your password will expire in '$DaysLeft' days." with title "FICO CORP Password" buttons {"Change Password Now", "Cancel"} default button "Change Password Now" giving up after 300 with icon path to resource "AccountsPref.icns" in bundle "/System/Library/PreferencePanes/Accounts.prefPane/Contents/Resources"')
                            if [[ $CHANGE =~ Password ]];
                                then
                                osascript -e 'tell application id "com.apple.systempreferences"' -e "activate" -e 'set the current pane to pane id "com.apple.preferences.users"' -e "end tell"
                                else
                                log "User clicked cancel"
fi
fi
fi
exit 0


####################################################

#LaunchAgent item,  needs to be placed in /Library/LaunchAgents/
#net.fico.passchg.plist filename





####################################################
#postflight script to schange permissions on the script and plist.
#!/bin/sh
## postinstall

logFile="/private/var/log/passch_install.log"
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logFile
}


chown root:wheel /Library/LaunchAgents/net.fico.passchg.plist
chmod 644 /Library/LaunchAgents/net.fico.passchg.plist
chmod +x /Library/passwordchange/Scripts/passchange.sh

log "change perms on script and plist"

launchctl load /Library/LaunchAgents/net.fico.passchg.plist
log "loaded job"

exit 0        ## Success
exit 1        ## Failure



####################################################

Enjoy.
tausif

Comments

Popular posts from this blog

Removing corporate wireless restrictions completely : "The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."

So i was recently tasked with removing wireless restrictions from a VP's windows 7 laptop that some infrastructure company had placed while contracted with our network, since he needed to enable setting up of adhoc connections on his laptop and he always got

"The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."


A little bit of probing revealed that adhoc and peer to peer connections were blocked as evidenced by the the command 

netsh wlan show filter on an  elevated command prompt revealed that adhoc network type was blocked by group policy:

I removed the restrictions by:

1: open services.msc as administrator, scroll down to WLAN AutoConfig:

Migrating Outlook Profile to Office 365

We had a migration from Hosted Exchange to Office 365 and i was tasked with automating the local Outloook profile migration for Users:

I Created a GUI utility using powershell which would allow users to create an Office365 Profile and set it as default, I prepared PRF files for each version of office and an autodiscover.xml to be used for local autodiscover and uploaded them to a hosted site:

The PRF file to set settings for Office 365 are hard to find: i used the below entries:


;AutomaticallygeneratedPRFfilefromtheMicrosoftOfficeCustomizationandInstallationWizard;**************************************************************;Section1-ProfileDefaults;**************************************************************[General]Custom=1ProfileName=%UserName%-O365DefaultProfile=YesOverwriteProfile=YesModifyDefaultProfileIfPresent=false;**************************************************************;Section2-ServicesinProfile;**************************************************************[Service…

To Unlock Windows Update locked due to group policy.

To Unlock Windows Update locked due to group policy.




Open gpedit.msc and browse to the location /Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Settings and double click "turn off access to all windows update features" and set it to disabled.