We have been having issues with people forgetting to change their AD passwords on macs because there is no alert mechanism which lets users know that their password might expire soon.
I created a password expiration alert script to remediate this. I wanted the alert to be persistent and hence created a launchd item, which runs the script every 4 hours.
In my setup, i've put the script in /Library/passchange.sh , and a launchagent in
/Library/LaunchAgents/
You'll need to make sure the script is executable and the launchagent (owned by root:wheel) is not.
TO do this, i created an installer which places both items on the client macs and runs a postflight script to adjust the permissions and load the launchAgent.
I used Composer to package the install, you can use packages or iceberg.
As usual, free to use as long as you credit me.
passchange.sh
####################################################
#!/bin/bash
#pass word alert script created by tausif to alert people to change their passwords.
# PasswordChange.sh
ASROOT=${ASROOT:-sudo}
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1
}
logFile="/private/var/log/passwdchg.log"
# Variables and Functions #
PwdPolicy=90
OSVersion=`sw_vers | grep ProductVersion | cut -c 17-20`
ADcheck=`dscl localhost -list . | grep "Active Directory"`
Domain=`$ASROOT dsconfigad -show | grep "Active Directory Domain" | awk '{print $5}'`
LoggedInUser=`ls -l /dev/console | awk '{print $3}'`
LoggedInUID=`dscl . read /Users/$LoggedInUser UniqueID | awk '{print $2}'`
NetworkLocation=$(
ping -c 2 "corp.fairisaac.com" > /dev/null
if [ $? -eq 0 ]; then
log "Connected to FICO internal network.Checking password expiration";
else
log "Error: Not connected to FICO internal network."
fi
fi
)
if [[ $ADcheck == "Active Directory" && $Domain == "corp.fairisaac.com" && $LoggedInUID -ge 1025 ]]; then
SetDate=`dscl /Active\ Directory/CORP/All\ Domains/ read /Users//$LoggedInUser pwdLastSet | awk '/pwdLastSet:/{print $2}'`
LastSet=`expr $SetDate / 10000000 - 1644473600`
LastSet2=`expr $LastSet - 10000000000`
Time=`date +%s`
TimeSinceSet=`expr $Time - $LastSet2`
DaysSinceSet=`expr $TimeSinceSet / 86400`
DaysLeft=`expr $PwdPolicy - $DaysSinceSet`
if [[ $DaysLeft -le 14 ]];
then
CHANGE=$(osascript -e 'tell application "System Events" to display dialog "Your password will expire in '$DaysLeft' days." with title "FICO CORP Password" buttons {"Change Password Now", "Cancel"} default button "Change Password Now" giving up after 300 with icon path to resource "AccountsPref.icns" in bundle "/System/Library/PreferencePanes/Accounts.prefPane/Contents/Resources"')
if [[ $CHANGE =~ Password ]];
then
osascript -e 'tell application id "com.apple.systempreferences"' -e "activate" -e 'set the current pane to pane id "com.apple.preferences.users"' -e "end tell"
else
log "User clicked cancel"
fi
fi
fi
exit 0
####################################################
#LaunchAgent item, needs to be placed in /Library/LaunchAgents/
#net.fico.passchg.plist filename
####################################################
#postflight script to schange permissions on the script and plist.
#!/bin/sh
## postinstall
logFile="/private/var/log/passch_install.log"
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logFile
}
chown root:wheel /Library/LaunchAgents/net.fico.passchg.plist
chmod 644 /Library/LaunchAgents/net.fico.passchg.plist
chmod +x /Library/passwordchange/Scripts/passchange.sh
log "change perms on script and plist"
launchctl load /Library/LaunchAgents/net.fico.passchg.plist
log "loaded job"
exit 0 ## Success
exit 1 ## Failure
####################################################
Enjoy.
tausif
I created a password expiration alert script to remediate this. I wanted the alert to be persistent and hence created a launchd item, which runs the script every 4 hours.
In my setup, i've put the script in /Library/passchange.sh , and a launchagent in
/Library/LaunchAgents/
You'll need to make sure the script is executable and the launchagent (owned by root:wheel) is not.
TO do this, i created an installer which places both items on the client macs and runs a postflight script to adjust the permissions and load the launchAgent.
I used Composer to package the install, you can use packages or iceberg.
As usual, free to use as long as you credit me.
passchange.sh
####################################################
#!/bin/bash
#pass word alert script created by tausif to alert people to change their passwords.
# PasswordChange.sh
ASROOT=${ASROOT:-sudo}
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1
}
logFile="/private/var/log/passwdchg.log"
# Variables and Functions #
PwdPolicy=90
OSVersion=`sw_vers | grep ProductVersion | cut -c 17-20`
ADcheck=`dscl localhost -list . | grep "Active Directory"`
Domain=`$ASROOT dsconfigad -show | grep "Active Directory Domain" | awk '{print $5}'`
LoggedInUser=`ls -l /dev/console | awk '{print $3}'`
LoggedInUID=`dscl . read /Users/$LoggedInUser UniqueID | awk '{print $2}'`
NetworkLocation=$(
ping -c 2 "corp.fairisaac.com" > /dev/null
if [ $? -eq 0 ]; then
log "Connected to FICO internal network.Checking password expiration";
else
log "Error: Not connected to FICO internal network."
fi
fi
)
if [[ $ADcheck == "Active Directory" && $Domain == "corp.fairisaac.com" && $LoggedInUID -ge 1025 ]]; then
SetDate=`dscl /Active\ Directory/CORP/All\ Domains/ read /Users//$LoggedInUser pwdLastSet | awk '/pwdLastSet:/{print $2}'`
LastSet=`expr $SetDate / 10000000 - 1644473600`
LastSet2=`expr $LastSet - 10000000000`
Time=`date +%s`
TimeSinceSet=`expr $Time - $LastSet2`
DaysSinceSet=`expr $TimeSinceSet / 86400`
DaysLeft=`expr $PwdPolicy - $DaysSinceSet`
if [[ $DaysLeft -le 14 ]];
then
CHANGE=$(osascript -e 'tell application "System Events" to display dialog "Your password will expire in '$DaysLeft' days." with title "FICO CORP Password" buttons {"Change Password Now", "Cancel"} default button "Change Password Now" giving up after 300 with icon path to resource "AccountsPref.icns" in bundle "/System/Library/PreferencePanes/Accounts.prefPane/Contents/Resources"')
if [[ $CHANGE =~ Password ]];
then
osascript -e 'tell application id "com.apple.systempreferences"' -e "activate" -e 'set the current pane to pane id "com.apple.preferences.users"' -e "end tell"
else
log "User clicked cancel"
fi
fi
fi
exit 0
####################################################
#LaunchAgent item, needs to be placed in /Library/LaunchAgents/
#net.fico.passchg.plist filename
####################################################
#postflight script to schange permissions on the script and plist.
#!/bin/sh
## postinstall
logFile="/private/var/log/passch_install.log"
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logFile
}
chown root:wheel /Library/LaunchAgents/net.fico.passchg.plist
chmod 644 /Library/LaunchAgents/net.fico.passchg.plist
chmod +x /Library/passwordchange/Scripts/passchange.sh
log "change perms on script and plist"
launchctl load /Library/LaunchAgents/net.fico.passchg.plist
log "loaded job"
exit 0 ## Success
exit 1 ## Failure
####################################################
Enjoy.
tausif
No comments:
Post a Comment