- Visit Dashlest Not Showing Osversion Correctly For Mac Pro
- Visit Dashlest Not Showing Osversion Correctly For Mac Free
- Since Mac OS 10.4, users with impending password expirations will be notified when they log in. If their password is set to expire within 24 hours, they will be forced to change their password before being allowed to log in. Administrators can adjust how long before password expiration to start showing these login screen warnings. This is not a.
- Viewing the text file at this point will show the VMWare-MAC entry for the computer. However, if you save the list while it is not displaying the computer, it will discard the computer from the source file. This is on Windows 7 Enterprise computers. I do not know if this applies to computers with other virtual adapters, or other OS versions.
ADPassMon has moved! The, and are now hosted on GitHub.
This page will remain for a short time for historical purposes, but I encourage you to visit GitHub for up-to-date information about using ADPassMon, instead. I will still post about ADPassMon updates and bugfixes on this blog. Also note, comments on this page are closed. Please submit bug reports and feature requests to the directly. Quick Summary and Features ADPassMon is a small menu bar application that shows the number of days remaining until your Active Directory password expires.
ADPassMon features:. support for Mac OS X 10.6 through 10.11. optional Growl or Notification Center alerts with adjustable warning period. integrated Kerberos ticket renewal.
Change Password menu item, with optional password requirements reminder. offline functionality via cached expiry information. MCX support for ease of administration This software is released under the.
Getting the Windows version? Ask Question. Read TOSVersion.Platform to check for Windows or Mac. Although you should check that the function works correctly in your Delphi since the implementation of that function in Delphi 6 and earlier was incorrect.
Download the correct version for your operating system: (tested up through OS X 10.11) Want to know more? Read on for the full story.
The Problem Most Active Directory sites require users to change their passwords at regular intervals – such as every 30, 60, 90, or 180 days. Unless you write your password expiration date on a calendar or set some other sort of reminder, it’s possible that your password will expire before you’ve had a chance to change it. Mac OS X’s AD integration has come a long way in mitigating this issue. Since Mac OS 10.4, users with impending password expirations will be notified when they log in. If their password is set to expire within 24 hours, they will be forced to change their password before being allowed to log in. How long before password expiration to start showing these login screen warnings.
This is not a foolproof solution, though. If you’re the kind of person who doesn’t regularly log out of your computer, you might go weeks without visiting the login screen, completely missing the warning period. If you can’t count on your operating system to keep you informed regardless of your use habits, what can you do? The Solution. Click to download ADPassMon (264KB) ADPassMon, short for Active Directory Password Monitor, is a utility that solves this issue by providing up-to-date password expiration information at a glance.
It places an item in the menu bar that shows the number of days remaining until the password expires, simply and unobtrusively. Here it is on the left. Hovering your cursor over the icon reveals more precise information in a tooltip. Clicking on the menu item reveals some additional features, which I’ll discuss further below. Selecting the Preferences item reveals the program’s configuration options.
Note the message area at the top of the window. It will normally display the full password expiration information, but if can also display errors or other messages affecting use of the application. Auto or Manual Mode By default, ADPassMon attempts to automatically acquire all the information it needs to calculate your password expiration information. This will not work in all environments, so the option to set the maximum password age manually is provided. If Auto mode results in an incorrect or negative password expiration value, then you should use Manual mode and provide your site’s maximum password age in days. Growl / Notification Center Alerts If you have Growl installed or use OS X 10.8 with Notifcation Center, ADPassMon can optionally send you notifications of impending password expirations. Check the Enable Notifications box and enter the number of days before the password expires that you want the warnings to start appearing.
Warnings will appear every 12 hours after the threshold is reached. Each warning will resemble the following: Kerberos Tickets ADPassMon can also acquire and/or renew Kerberos tickets for you. In OS 10.6, Apple buried the graphical Kerberos ticket management tool — Ticket Viewer.app — inside the /System/Library/CoreServices folder. ADPassMon lets you request a new ticket or renew an existing ticket right from its menu.
(A Kerberos ticket is required if you’re using Auto mode, so you’ll be prompted to obtain a ticket if you launch ADPassMon and don’t have a ticket.) This menu item will be disabled if the app cannot communicate with your AD domain. KerbMinder Integration (only in v1.10.0+) If you have installed, ADPassMon will show an extra menu option that lets you enable and disable it. Change Password Shortcut ADPassMon’s menu provides a shortcut to Mac OS X’s standard password change interface. When you select it, System Preferences will automatically launch and show you the standard password change window. This feature requires that ADPassMon be allowed to control the GUI in the Security & Privacy pref pane’s Accessibility settings. If it is not enabled, users with administrator access will be prompted to enable it when the program first launches.
Skip Accessibility Option Check If you want to keep the Accessibility setup dialog box from appearing when your users first run ADPassMon, you can set the accTest preference value to 0 to disable it. Defaults write org.pmbuko.ADPassMon accTest 0 Password Policy Reminder If you are an administrator and need an easy way to remind your users of your organization’s password complexity requirements, you can enable the password policy reminder feature by defining a pwPolicy key in ADPassMon’s plist file. You can do this either by editing the plist file directly with a plist editor (Xcode works well for this), or by setting the content of the reminder message in the terminal as follows: defaults write org.pmbuko.ADPassMon pwPolicy 'Your password requirement message goes here.' The password policy reminder dialog button’s default text is “OK”, but you can change it as follows: defaults write org.pmbuko.ADPassMon pwPolicyButton 'I understand' When the pwPolicy value is set, a policy reminder alert like the one below will appear when you select Change Password from the ADPassMon menu. You must click the single button before you can change your password. Lockable Preferences If you’re an administrator and wish to deploy this utility to your Macs, you can disable access to the Preferences window by adding a prefsLocked key and setting its value to true in the org.pmbuko.ADPassMon.plist. You can do this via MCX, or manually by entering this command in the terminal: defaults write org.pmbuko.ADPassMon prefsLocked true Users will still be able to enable or disable Growl/Notification Center alerts via the menu option.
App Reset If you’re experiencing trouble with ADPassMon, you can clear the settings and return the application to defaults by selecting the Reset tab in the Preferences window and clicking the Revert to Defaults button. Acknowledgements I have many people to thank for making this application possible., of JNSoftware, for providing sample code for a menu app written in AppleScript ObjectiveC., for his excellent eBook, AppleScriptObjC Explored., for his work on the Password Monitor app on which ADPassMon is based. John Welch, for recommending Shane’s book and inspiring me to start learning AppleScriptObjC Last but not least, I give my sincere thanks to my beta testers: Joe Chilcote, Brian LaShomb, Joel Moses, Rusty Myers, Stephen Rayda, Tom Rodgers, and especially. This app would have been less useful without their help. MIT License This software is released under the terms of the.
Copyright (C) 2015 by Peter Bukowinski Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
OK ——————— 25.5.11 9:54:19 ADPassMon1650 Starting manual process 25.5.11 9:54:19 ADPassMon1650 Found expireAge in plist: 40 25.5.11 9:54:19 ADPassMon1650 The new pwdSetDate (-1,34774E+5) 25.5.11 9:54:19 ADPassMon1650 is. I’m getting the same output as MaM consistently with Leopard and Snow Leopard regardless of OS version on all AD bound machines (50 some odd machines) 3 users (in the IT group) and one enterprise admin user show the correct days until expiration. They are all in an OD IT group and the rest of the users are in a employees OD group that has the AD “Domain Users” as the member. This is Magic triangle with Server 03. I’ve gone into the Manually setting expiration, hit Enter, then apply, I’m still getting an expiration date in 1970. When I take a user out of Domain Users, nothing changes, let’s say I add that same test user to the “IT” OD group, still nothing changes; expiration date in 1970. Now what if I bind a machine only to AD and not OD?
Same thing, expiration in 1970 despite our domain policy specifying expiration every 90 days. I had the exact same problem with the older Password Monitor except it would just list a diamond (a sort of out of range error). Every time I deleted the user folder for testing. The users being local admins on the machine doesn’t help or hinder this false expiration repot.
It’s a real mystery as to why this only works for 3 users in my domain. I reset the password interactively at the System Preferences level but had initially set the pass in AD. The log output is essentially the same as what MaM outputted. Sorta went on vacation and didn’t want to post anything until I had something to contribute. As MaM guessed, yes we do have a Domain that was SBS and then later upgraded to Standard.
As he says, a fresh install of Server 03 Standard would resolve the issue. As my issue is with my production AD, such a resolution was less than desirable. So, I opened up my ADUC, right clicked on Domain Users (this doesn’t matter) and selected Delegate Control The next box asks you (for what group). I typed in auth and hit enter to auto-fill Authenticated Users.
At the next screen I select “only the following objects.” radio button and scrolled down and selected the “User objects”. At the next screen I checked the box “Property-Specific” as we don’t want to grant write to all user objects (LDAP attributes). I scrolled down to “pwdLastSet” and checked read and write. The next dialogue box is a Finished screen.
I then changed the password of a normal test user and successfully had a pwdLastSet value. This marks the end to a nearly 2 year long outstanding ticket.
I thank the members of the forum and, of course, pmbuko, for helping me come to a resolution. And, to microsoft, much love for. No more users who say they weren’t warned that their password would be expiring!! Thanks for this, it is really cool.
I found that on first use I was getting negative numbers as well. It would date back to when I last renewed the password for the user.
I changed it from Auto mode to Manual mode and put in 365, then pressed Enter, and then clicked Apply Changes. It took me a while to figure out that I had to hit the Enter key and then Apply Changes. It seems strange to require the Enter key press for it to work. It might be helpful to make that more obvious or just allow the Apply Changes button to set it instead of the Enter key. I had to read through the comments to figure it out.
Does it stay grayed out even if you re-check the expiration? The way I set up the Refresh Kerberos Ticket option is that it will be disabled under a certain test condition. The test compares the “password set date” that is saved in the plist against the just acquired “password set date”. If the fresh value is greater than or equal to the plist value, then I assume the computer is on the network and successfully talking to AD. If the fresh value is less, it is likely a negative value and I assume the computer is not on the network and disable the kerberos menu item. ADPassMon writes to the console log. Open Console.app, select Console messages, and then type ADPassMon in the search field to filter for those messages.
Can you paste what you see in the log when you do a re-check expiration while on the network with a valid kerberos ticket? I just installed ADPassMon yesterday. Yesterday, it said that my password would expire in -7 days. So I switched it to manual and specified 60 days.
It then said my password would expire in 52 days. I wasn’t sure if that was right (I changed my password.around. a week ago) so left it and figured I’d just see how it turned out. Today when I logged in, it said my password would expire in 52 days.
So I reverted to default settings and refreshed my Kerberos Ticket. But again it says -7d. Any suggestions?
Here’s the last entry: 11/22/11 8:19:15.912 AM ADPassMon: Starting auto process 11/22/11 8:19:15.925 AM ADPassMon: myDNS: 10.5.1.68 11/22/11 8:19:16.607 AM ADPassMon: mySearchBase: DC=liox,DC=org 11/22/11 8:19:17.291 AM ADPassMon: Got expireAge: 0 11/22/11 8:19:17.593 AM ADPassMon: The new pwdSetDate (1.62E+4) 11/22/11 8:19:17.594 AM ADPassMon: is. I have the same problem as Kevin above, the expiration date is when the password was last reset. I finally got this information. There is no edu.mit.Kerberos file and krb5.conf is empty. Here is the console output. Sorry that it took me so long to get this back to you.
Thanks for any help you can give. This may have something to do with the fact that I’m using a VPN.
I changed the primary DNS server to the AD server, and here is the console output. Thanks again for your help! Okay, I did that. I just read through the and see that it uses its own (non-Apple-native) Directory Services plugin. Currently, ADPassMon will only work if your Mac can communicate directly with your AD domain server(s) to get data on when your password was last changed. Manual mode is useful only for supplying the maximum password age if it can’t be obtained automatically.
There may be a simple workaround I can implement, though. Can you try the following two commands and show me the results? This will operate on the currently logged-in user, but you can substitute “$USER” for any username. The first command is the one I’m currently using. The second command is an alternate form that may work better for you. Dscl localhost read /Search/Users/$USER pwdLastSet dscl /Search read /Users/$USER pwdLastSet Also, please run ‘klist’ in the terminal and let me know if it shows an active kerberos ticket.
Visit Dashlest Not Showing Osversion Correctly For Mac Pro
Temp-mac:bin jcollins$ dscl /Search read /Users/jcollins pwdLastSet No such key: pwdLastSet No such key: pwdLastSet temp-mac:bin jcollins$ dscl localhost read /Search/Users/jcollins pwdLastSet No such key: pwdLastSet No such key: pwdLastSet temp-mac:bin jcollins$ klist Credentials cache: API:62104299 Principal: Issued Expires Principal Apr 25 10:22:27 Apr 25 20:19:56 krbtgt/SCENTSY.LOCAL@SCENTSY.LOCAL Apr 25 10:22:28 Apr 25 20:19:56 ldap/corp-dc2.scentsy.local@SCENTSY.LOCAL temp-mac:bin jcollins$. Hi Peter, i was just about to create the log for you, but then i read some other comments about how to set the manual value and then press tab or enter. After i did that also the question about the kerberos ticket never showed up again.
So – this is solved – thanks! Now i see another issue – if i use the menubar-menu hand choose “Change Password” i can see the Systempreferences starting in the Dock, but no window appears. If i click on Systempreferences in the dock, the Window appears and shows the user-settings where i could change the password.
Is that the expected behavior? AdPassMon can’t communicate with Growl for some reason. I’ve got Growl 1.3 installed with ADPassMon 1.7 on Mac OS X Server 10.7.4.
Here are the relevant log entries: 8/1/12 2:58:42.888 PM ADPassMon: Testing for Growl 8/1/12 2:58:42.906 PM ADPassMon: Running 8/1/12 2:58:42.990 PM ADPassMon:.ADPassMonAppDelegate applicationWillFinishLaunching:: Growl got an error: Can’t continue «event register». (error -1708) 8/1/12 3:00:22.715 PM ADPassMon:.ADPassMonAppDelegate applicationWillTerminate:: unrecognized function releaseStatusItem. (error -10000) Any idea what may be going on here? Hi pmbuko- I love ADPassmon and use it all the time, but I’ve got a problem with the launch agent I’m deploying with it. About 20% of the time when a user first logs in, OS X pops up a screen asking the user to locate System Events.app.
Once the dialog has been pointed to Coreservices and the System Events application, ADPassmon pops up. Like I said, though, this doesn’t happen on every machine I image, only about 20%. It only happens once if at all, and if it doesn’t happen on your first login, it won’t ever happen. Here’s the contents of the launchagent I’m using: KeepAlive SuccessfulExit Label com.wordpress.yourmacguy.adpassmon ProgramArguments /Applications/ADPassMon.app/Contents/MacOS/ADPassMon Any ideas? Having two issues here: Logged in as normal AD user and on launch I am getting “For best performance, ADPassMon requires that ‘Access for assistive devices’ be enabled” message. This I thought only occurs for Admins?
And what is the command to turn on Assistive Devices from the cmd line? The other problem is this message: No Kerberos ticket was found. Do you want to renew it? When users login they mount shares from a Windows server so they have to have a ticket or the shares wouldn’t mount. Ticket Viewer shows that the user has a ticket. I have a LaunchAgent in /Library/LaunchAgents that starts a script in /sbin that runs: /Applications/ADPassMon.app/Contents/MacOS/ADPassMon Trying to get it so ADPassMon.app opens and doensn’t bother the user.
Thanks JosephI looked before on how to turn on Accessibility and couldn’t find out how to do it. Will look into that!
The other commands I can’t use though for console as users have a temp home on login. Need to set the pref file in the user template and seems to be giving me problems if I set the file up with limited keys.
Was only putting in growlEnabled and PrefsLocked and it was displaying a wild number and getting kerberos errors on login about not having a ticket. Here is what I have now in the org.pmbuko.ADPassMon.plist pref file and think its working, adding expireAge seems to have fixed the issue for some reason (Hopefully the following displays correctly): expireAge 180 growlEnabled prefsLocked. I’m having trouble starting the application. I’m getting an error registering with Growl. Here’s the last few lines in Console.
We recently made a change to our password policy so the passwords expire now, and I found ADPassMon as something that might help for our growing Mac users. Testing it out, it gives me 41d as the time but our policy is 180 days and when I try to change the password I get a message that it doesn’t meet the requirements when it should. I have refreshed the Kerberos ticket and I tried using the Apple generated password from Users & Groups, but still got the error message. Any ideas for what I should check? Just starting testing this out last week for use in my environment but, it seems like we’ve a got AD weirdness, too.
Running 1.9.1. It looks like the last password set date is being set as the expiration date and I end up with a negative number. Just wanted to update you and others that may have this problem. There IS a bug in Mavericks that breaks login window password expiration notices when the system authenticate against active directory. See the below response from our AppleCare Enterprise Engineer.
“Thank you for the clarification. I’ve just tested and have been able to reproduce this behavior here with Mavericks. This certainly isn’t the expected behavior, so I’ve filed a report with Product Engineering to see if we can determine why this is occurring. Unfortunately, I don’t have a workaround for you to force the prompt to appear; I’ll need to work with Product Engineering to see if I can develop one. In the interim, however, there is well-regarded third-party tool (under MIT license) that serves to give password expiration warnings that might suit your needs. That tools is ADPassMon, found here:.”.
Hey man, looking forward to utilizing this at work! We have a handful of macs running Mountain Lion. I wanted to use the pwPolicy feature, but whenever I assign any value and then log off/on again, it flushes all of my settings and prompts me to download a new Kerberos ticket. I have tried this on 1.9, 1.9.1, 1.9.2, all with the same results.
Also, I can confirm that v1.9.2 doesn’t open up Users & Groups when selecting change password from ADPassMon (it is working in both 1.9 & 1.9.1 however). A correction to my first post; my problem was that defaults wasn’t updating the plist file correctly, but once I switched over to a plist editor, things stopped breaking. I’m not running into the flushing of prefs anymore on any version of the program. Here’s what I found though (All of this on Mountain Lion, 10.8.5) v1.9 – pwPolicy works great, brings up the window and then groups and prefs when changing password v1.9.1 – when a pwPolicy attribute is set, ADPassMon stops opening up users and groups and doesn’t bring up the warning window. (Without the pwPolicy set, users and groups opens up as expected v1.9.2 – doesn’t open up users and groups regardless of pwPolicy being set.
Hope that helps! Peter, how are you or others handling users changing their passwords while not on the corporate LAN or VPN?
We have all sorts of issues with users changing their passwords off the network and wreaking havoc when they return because passwords are no longer in sync (in addition to fudging up their FV2). We basically run an Applescript if their password is determined to be within two weeks of expiring that asks them if they are on VPN or on the corporate network, but we are having all sorts of problems with Accessibility in 10.9.
Graham, my site doesn’t actually use ADPassMon any more — ironic, eh? — so this is not really a concern for us.
Our users have both LDAP and AD accounts, and we use a third-party tool that syncs LDAP and AD account passwords. The tool also handles the reminders. Our users are trained to only use this tool to change their passwords. Currently ADPassMon’s “Change Password” item is not tied to network state, but I.could.
make it unavailable when the AD servers cannot be reached. This would not, of course, prevent users from changing the password via the Users & Groups pref pane. FV2 issues are another thing altogether. Our site does not mandate it, so most users do not use it. This is an interesting observation, one that may explain issues we’ve seen when users reset passwords through the User + Groups System Preferences pane, but then end up in password purgatory with sync between AD and local password stores. I had assumed this was just the usual Keychain hell. Have not causatively connected off-network password changes with subsequent password failures, but it does make sense.
So are you guys saying the Mac definitively must be online at the moment the password change request is made in OS X? Obviously domain password changed eventually carry down to the Mac, prompting users to update their Keychain password on login, but perhaps not the other way around? Hi from France. Feature request: would it be possible to set a new key that would permit to optionnaly add a clickable URL when the password policy string is shown. The idea would be that before the password dialog is shown, the user would see a message like “Go to this corporate page to get all the details about the password change process”, page which would include the password policy string with many other details. Actually, the password policy string does not permit us to enter all the details about the work to do and to drive the user to a web page. You have already a similar process to drive the user to go to a password change web page.
Best regards. Hi, Wow thanks for the quick response – Again, really appreciate it! Just did some looking around, it’s because we have two search policies – If I remove one it returns only a single result and ADPassMon works beautifully. However, we do need two search policies because we have a ridiculously huge AD schema and we direct machines to a cut down location first and then the entire schema second. Don’t feel like you need to urgently make changes here, but would really appreciate it if you could add it in at some point! Hi, Sorry I should have been clearer. Multiple Macs so different users.
Here you go 13:42:25.888 ADPassMon6336: selectedMethod: 1 13:42:25.888 ADPassMon6336: Starting auto process 13:42:25.906 ADPassMon6336: myLDAP: 3.161.16.38 13:42:26.379 ADPassMon6336: mySearchBase: DC=nbcuni,DC=ge,DC=com 13:42:26.413 ADPassMon6336: Got expireAge: 91 13:42:26.444 ADPassMon6336: The new pwdSetDate (16289.58) 13:42:26.445 ADPassMon6336: is. I just downloaded ADPassMon to try out on our corporate network. When I double click on the application nothing happens.
Absolutely nothing. No program window, no menubar changes – nothing. Our Macs are running OSX 10.9.4 and I made sure I downloaded the version for 10.8 and 10.9. After trying it, I restarted the computer and tried again. Once again nothing at all happens. I re-downloaded the program again with the same results. I have our Macs set to allow all apps to run in the Security preference pane.
Any guidance would be appreciated. After being able to spend more time on this, I discovered that I just had to wait a very long time before it did anything. Somewhere between 2 and 5 minutes.
We’re also getting negative days reported for the password expiration when it does finally respond. I tried setting it to Manual mode, but it spins for anywhere from 2 to 5 minutes until it reverts to Auto mode and still reports negative days.
Is there anything on the Active Directory servers I can have our Windows Server guys look at to improve this behavior? MS Outlook 2011 also reports that the password has expired in the past, but no one can seem to put their finger on what’s causing the wrong information.
Just heard about this tool and very excited to get it to work for us! I do have one question maybe someone has experienced and answered. We use fine grain passwords and I’ve noticed when I try to grab the maxPwdAge entry I get a consistent result across all accounts of 9.22337e+11 resulting in the tool saying there are 10675070 days to go. Now I was able to fix this issue before in a PowerShell script but I’m unsure of how to make that translate to Apple Script. Below is an example of how I can get MaxPasswordAge out of the fine grain password policy per user: $maxPasswordAge = (Get-ADUserResultantPasswordPolicy $user).MaxPasswordAge Is anyone else running fine grain policies and possibly have a solution?
I have download the latest version of ADPassMon, but unfortunately it shows a wrong number of day. Here is my logs from Console. 2:20:52.252 pm ADPassMon442:.ADPassMonAppDelegate applicationWillFinishLaunching:: Can’t get character 1 of “”. (error -1728) 2:23:43.808 pm ADPassMon442: Testing for Kerberos ticket presence 2:23:51.067 pm ADPassMon442: Ticket found and renewed 2:23:51.070 pm ADPassMon442: Starting auto process 2:23:51.071 pm ADPassMon442: Found expireAge in plist: 91 2:23:51.149 pm ADPassMon442: New pwdSetDate (-134774) is 2:23:51.150 pm ADPassMon442. Hi Peter, I have run dscl localhost read /Search/Users/$USER and found out that there’s no Variable related to SMBPasswordLastSet. Just give you a little bit background, I work at K-12 school and we have 25 imacs for media student. We use magic triangle setup for our mac lab.
After a long test and trials, we have decided to delete all keychains on user’s logout. We have made a short custom script to do this,: rm -rf /Users/ /Library/Keychains/ and then change mode to be able to run it, and add it to logout hook. It works fine now. Thank you for your help, Peter. I have just installed ADPassMon and feel it may address a nagging issue with Kerberos ticket renewal in our environment.
I was wondering if you could add an option for ADPassMon to automatically refresh the Kerberos Ticket on network state change “if” it can detect the domain controller. This would eliminate the need for end user training on ticket refresh. FYI, I am thinking the network state “changes” upon a Cisco AnyConnect connection. The VPN is used for users working at home, which is where most users are running into expired Kerberos Tickets due to elongated times of no domain connectivity. If you could make this tweak, we would be willing to pay for the utility if need be.
Hi Peter, I was also getting the negative number issue and all the suggestions above were returning nothing, however when I ran dscl localhost read /Search/Users/$USER and searched on pass I found the following along side the rest of my AD details: PasswordPolicyOptions: failedLoginCount 0 failedLoginTimestamp 2001-01-01T00:00:00Z lastLoginTimestamp 2014-10-17T10:57:42Z passwordLastSetTime 2014-10-17T10:57:42Z trackLastLogin 1 I’m not entirely sure how this data gets populated but It looks like the passwordLastSetTime is the data you need, is this something ADPassmon might support? This was working until I updated my password. Now I’m getting the -1 day. Running OS X 10.9.5, here’s my output of the troubleshooting script. Ldapsaslinteractivebinds: Can’t contact LDAP server (-1) No such key: userAccountControl ldapsaslinteractivebinds: Can’t contact LDAP server (-1) (standardin) 1: parse error myLDAP: x.x.x.x mySearchBase: uAC: passExpires: yes expireAgeUnix: expireAge: pwdSetDateRaw: 14356662 pwdSetDateUnix:. PwdSetDate: 629629 todayUnix: today: 888888 daysUntilExp: -259 daysUntilExpNice: -91.
I’m trying to deploy ADPassMon with.plist and a LaunchAgent using Casper. I created the plist and launchagent files with TextWrangler and saved them as plain old text format. I packaged them up using Casper Composer in a.dmg file. When I deploy the.dmg none of the settings of the plist and launch agent work. When I double click on the files in the Finder, I can read them just fine and everything is exactly as I set them.
HOWEVER, if I use the more command in Terminal to view the files, I get a message telling me the files are binary and asks me if I want to view them anyway. I tell it Yes I do want to view and it comes up as binary gibberish. If I take the text files I created and manually copy them to the locations they need to be in, it works just fine.
So obviously something is happening to the plist and launchagent files that is changing it from text to binary and ADPassMon can’t read them. Does anyone have any tips for resolving this? My office AD environment is fairly complex, and our users do password resets through a tool that then syncs with various services – including AD. As a result, we’ve had to disable password changing in Mac OS X – as changing the password there does hit the other services in place, leaving the user with multiple passwords – and users have to change their password via a website. Using your tool, we’ve been able to add a button to the dialog box that directs the user to the password change page we use, but the ‘OK’ button is still present, and regardless of whether the OK button or URL button is pressed, the Users & Groups preference pane opens, which is an unnecessary operation in our environment.
So my question is two-fold. Is there a way to remove the ‘OK’ button and leave only the URL button, and is there a way to make it so System Preferences doesn’t open at the button push event? In its current state, the tool does work, and we enjoy using it, but we haven’t been able to put it into production because of what I’ve stated above. Any insight would certainly be welcome.
Thank you for your time. @pmbuko Thanks for the info. I have tried to delete plist file before but it doesn’t change the value – it keeps it at the 256 timeline not the 320. I reset my password in ADmon and it changed it to 256(old gpo timeline). I uninstalled and reinstalled and it changed it to 320(which is the new correct gpo). I also tried to replace the plist with a fresh one that had never been opend with no values in it and it re-wrote to 256 some how.
I could just do a uninstall and reinstall but this is currently used by a few hundred users and that is not the best solution or easiest solution. Thanks, Blake. A negative value means that ADPassMon wasn’t able to automatically determine the maximum password age by querying a domain controller.
The command it uses to query AD is ldapsearch -LLL -Q -s base -H ldap://dc.example.com -b dc=example,dc=com maxPwdAge. If you run this on your computer (substituting in the correct values after -H and -b), what is the result? In any case, I suggest using Manual method in ADPassMon preferences and entering in the maximum password age there. Remember to press Enter after typing in the value. Andy, You’re welcome! I posted a bash script that contains shells commands similar to what ADPassMon uses internally.
To specifically answer your question, look at line 18. I am using dscl to look up the SMBPasswordLastSet value stored in AD.
If your network advertises multiple AD servers (run the command found on line 5 without the head -1 part), they can sometimes come up in different orders. If one or more of those AD servers doesn’t have a defaultNamingContext value set, then part of the lookup will fail and you’ll end up seeing negative password values. I suggest downloading my script and running it a few times in a row to see if you get inconsistent results. Thanks for the details, i’ll test them out shortly. Another quick question if you have the time, is there any way to disable the message “No Kerberos ticket for Active Directory was found. Do you want to renew it?” or is there a way i could reword the “Password is incorrect – Please try again” message if the Mac can’t reach our network?
We have a lot of external users who very rarely access the VPN and i think when they’re prompted to renew the kerberos ticket they’ll get confused when it tells them their password is incorrect. Thank you, Andy. Thanks, Just tested V1.10.3 on a 10.9.2 Mac within an AD Managed Mobile account and all the menu items are still available when AD can’t be reached. Tried quitting and re-opening it and also resetting it but still the same. Console doesn’t show much when choosing to Refersh Kerberos Ticket: 7/2/15 4:10:37.050 PM ADPassMon2415 Testing for Kerberos ticket presence 7/2/15 4:10:37.073 PM ADPassMon2415 No ticket found 7/2/15 4:11:07.526 PM ADPassMon2415 Incorrect password.
Cheers, Andy. I absolutely love ADPassMon, but i think i’ve found an issue with the latest version. I packaged ADPassMon for deployment with the previous version a while back and it was working great.
I manually set the password expiration days to 180 since that is our policy. When i swapped out the ADPassMon app in the package payload everything seems to work, but it is adding a 0 to the days until password expires. For example my password expires in 91 days with the previous app, but with the new version it shows 910 days. It could be my configuration or something, but i figured i would let you know. Thanks again for such a great tool! Thanks for the quick reply. Below is the log you requested.
7/21/15 10:32:35.630 AM ADPassMon2151: Running on OS 10.10.x 7/21/15 10:32:35.632 AM ADPassMon2151: Testing Universal Access settings 7/21/15 10:32:35.633 AM ADPassMon2151: Enabled 7/21/15 10:32:35.642 AM ADPassMon2151: Loading prefs 7/21/15 10:32:35.779 AM ADPassMon2151: Testing if password can expire 7/21/15 10:32:35.826 AM ADPassMon2151: Password does expire. 7/21/15 10:32:35.860 AM ADPassMon2151: Starting auto process 7/21/15 10:32:35.861 AM ADPassMon2151: Found expireDateUnix in plist: 1.516129745E+9 7/21/15 10:32:35.913 AM ADPassMon2151: Got expireDateUnix: 7/21/15 10:32:35.914 AM ADPassMon2151: Using msDS method 7/21/15 10:32:35.926 AM ADPassMon2151: daysUntilExp: 922222 7/21/15 10:32:35.926 AM ADPassMon2151: daysUntilExpNice: 910. I am not sure if I am missing a setting, but the notifications appear to not be working on any of the test systems we have it on. I could be completely wrong about how to set it.
Current settings are; 1. I am on 10.10.4 on one system and 10.8.6 on another. KerbMind is not installed. (Don’t know if I need this or not. From what I read, I don’t think so.) 3. My password will expire in 75 days. (I know this is accurate as I’m able to verify in Active Directory and also what ADPassMon is showing me.
AD user doesn’t have a Mobile Account. (Could this matter?) 5. User shows in Users & Groups and ADPassMon is set to run as a login item 6.
ADPassMon is checked in Security & Privacy/Accessibility 7. ADPassMon is in the Notifications Center with all options checked and ‘alert style’ set to Banners.
Visit Dashlest Not Showing Osversion Correctly For Mac Free
ADPassMon preferences does have the “Use Notifications” box checked. If I set this for 74 days, then tomorrow I should get a notification about my password getting ready to expire correct? This is the problem I run into, as it doesn’t do that.
Everything seems to work except for the notifications part. Please let me know if my configuration is somehow lacking. Thank you for this product!
You have done an amazing job and this is SO needed. Kris, I verified in 10.10.4 that notifications were not appearing when they should. I added a small tweak to my code and also added a logging entry. To test, please set your warning threshold higher than the number of remaining days and then choose “Re-check Expiration” from the menu.
Also have Console.app open with a search filter of “ADPassMon” so you can see what it’s doing. You should see a “Triggering Notification” line appear. If you see the “Triggering Notification” line but do not see a banner, then click the Notification Center icon in the menu bar and see if the notification is there.
This happened to me a few times. I didn’t see a banner appear but the notification did make it into Notification Center. That may be an Apple bug.
With as quickly as you are responding, I certainly don’t mind being your beta tester.:) Let me make sure I did this correct as well. Exited ADPassMon 2. Trashed app 3.
Trashed Preference file /Preferences/org.pmbuko.ADPassMon.plist 4. Copied the new ADPassMon.app to /Applications 5. Opened Console 6. Ran ADPassMon. Gave me crap about the wrong AD password. Trashed all the tickets in ticket viewer. Trashed Preferences again.
Set threshold to 79 days (password will expire in 75 days). Clicked “Test Settings” 13. Checked Console and got the following. 7/31/15 9:15:30.471 AM ADPassMon72609: Triggering notification 7/31/15 9:16:51.622 AM com.apple.preference.notifications.remoteservice72674: Failed to connect (okButton) outlet from (NCPrefAppDetailController) to (NSButton): missing setter or instance variable 14. Started typing this. Per your instructions, clicked on “Re-Check Expiration” 16.
Notification popped right up with the following information 7/31/15 9:29:31.394 AM ADPassMon72609: Starting auto process 7/31/15 9:29:31.394 AM ADPassMon72609: Found expireDateUnix in plist: 7/31/15 9:29:31.684 AM ADPassMon72609: Got expireDateUnix: 7/31/15 9:29:31.685 AM ADPassMon72609: Using msDS method 7/31/15 9:29:31.724 AM ADPassMon72609: daysUntilExp: 62963 7/31/15 9:29:31.724 AM ADPassMon72609: daysUntilExpNice: 75 7/31/15 9:29:31.725 AM ADPassMon72609: Triggering notification 17. Tried the ADPassMon pref “Test Settings” button again, appears to just sit at “Triggering notification” Did notice that when I click “Test Settings” it shows up right away in the Notification Panel, I just don’t get the pop up.
Let me know how else I might be able to help test this. Peter, Have you ever seen this behavior in ADPassMon? 1) User is on the network with the AD and is successful in communicating with it.
2) The next time the user powers up the system, they are now remote to the network with the AD. The number of days until password expiration remains as it was when the system was last on the internal network.
For this example, lets say this is over the weekend. 3) User comes back in to the office where the AD network is and successfully authenticates with AD. However the number of days until password expiration still has not changed since the last time they were on the network. In my example its been at least 2 days due to the weekend so the time to expiration “should” have decreased by 2. This number will not change unless the user selects “Re-check Expiration” from the ADPassMon dropdown.
I’ve left the system on for consecutive days and it seems as if its not checking. However if I turn off a system that had last been on the AD network and leave it off for multiple days and then log back into it again while connected to the AD network it WILL show the correct password expiration. This might be something easy but I have not been able to discover what the issue is. We are looking at the latest version of ADPassMon (1.11.4) and MacOS of 10.10.5. We are really hoping to use this app in our environment to help with our AD deployment but want to clear this one up as I have a lot of users who travel frequently and are off the network for periods of time.
Thanks, –Darren.
Seems like a good one file library to do this.