ADPassMon updated to v2.20.7

I’ve neglected to post about the last few updates, but we are now at version 2.20.7.

There have been no major changes since my last announcement, but a few bugs have been fixed.

Change summary

  • General spiffing: Removed pre 10.8 code, polished other code, cleaned up comments, user feedback, and logging.
  • If password does not expire, the Re-check Expiration menu item and the Test Settings button in the prefs window are disabled. This prevents an expiration days count (typically a very large number) from being displayed.
  • Resolved an issue where the Create New Keychain button was not showing in the password dialog.
  • Resolved an issue where changing the expiration check interval did not take effect.
  • Resolved an issue where a “missing value” dialog box would appear when trying to change your password.

ADPassMon is “de-forking”

icon_forkBut first, some history. In April of 2014, Ben Toms (aka macmule), released his fork of ADPassMon to the world. It has three main features that differentiate it from mine:

  1. Where my version relies on the native OS change password dialog box, Ben’s fork gives you the option of changing passwords using a dialog box provided by ADPassMon. One of the main advantages here is that you can customize the text displayed in the password window and tailor it to your environment. If your organization uses a web-based password changing service, Ben’s fork can even take users to that site.
  2. Ben’s fork can verify that the user’s login keychain password is correctly synced with their login password, and prompt to fix it when it is not. This is a big deal, as out-of-sync keychain passwords are a hassle for many Mac admins to deal with.
  3. The interval between AD password checks is user-configurable in Ben’s fork. My version used a fixed 12-hour interval.

Since the time of the great forking, Ben and I have both worked independently on our code, adding changes and fixing bugs here and there, so there has been a bit of drift and duplication of effort in the last year. After a fair bit of discussion and some false starts, we finally pooled our resources and have reunited our code into a single project.

So, without further ado…

We’re proud to announce ADPassMon v2.20!

In addition to the features listed above, this release brings the following:

  • Notification alerts now include a Change button, which takes you directly to your selected change password method.
  • Even though it was listed as a feature, “offline functionality” didn’t work correctly until now. The menu item now will now update to show the correct number of days remaining even if your computer has been away from the work network for a while.

Going forward, ADPassMon’s source code, releases, and documentation will be maintained and updated at

Since this is a big change for both forks, we’re still in pre-release mode. Please download and test the app and share your feedback. If you discover any issues, or have feature requests, we ask you to please let us know by submitting them to the github project.

KerbMinder updated to v1.2

This version incorporates fixes submitted via github that remedy the following issues:

  • When the kerberos principal’s realm and the AD directory domain that the computer is bound to do not match, KerbMinder was unable to properly renew the ticket. E.g. the kerberos principal can be FOO.EXAMPLE.COM while the AD domain can be EXAMPLE.COM. KerbMinder would try to use a realm matching the domain. This is not always a correct assumption.
  • The postinstall script for the .pkg installer contained two typos that caused the script to run incorrectly.

Thank you to Francois Levaux-Tiffreau and Noel B. A. both for your pull requests.

Download the v1.2 release here.

ADPassMon updated to v1.11.4

Download the latest release on GitHub.

New feature:

This version introduces a user-configurable check interval. You can adjust the check interval anywhere from 1 to 24 hours.


Bug fixes:

ADPassMon is designed to poll AD for password expiration info immediately upon launch, 15 seconds after the computer wakes from sleep, and/or every x hours as determined by the check interval. Blog commenter Andy May let me know that the automatic expiration check was not working properly. This release fixes that bug.

ADPassMon updated to v1.11.3

Hot on the heels of v1.11.2, this release addresses two issues:

  • Fixed an annoying bug where the Use Notifications checkbox in the Preferences window, and both the Enable Notifications and Enable KerbMinder menu items would not change state the first time they are selected.
  • Added a log entry for when ADPassMon triggers a Notification Center alert to help troubleshoot an issue where notifications were not being spawned.

Download this release from GitHub.

ADPassMon updated to v1.11.1

Alas, v1.11.0 was short-lived. (Is this what the call continuous delivery?) Fixing the accessibility test in the previous release revealed a bug in the accessibility test — thanks to Jason Bush for pointing it out — where ADPassMon asks to be allowed to control the GUI even if it has already been given permission to do so.

This version makes the test more robust, and also adds an accTest preference item. Setting this to ‘0’ manually will disable the accessibility test, e.g.

defaults write org.pmbuko.ADPassMon accTest 0

If you are packaging this app for deployment in your environment, you can add the above command to a post-install script.

Download the latest build here

ADPassMon updated to v1.11.0 (final)

I have significantly changed how ADPassMon gets password expiration values. With Windows Server 2008, MS introduced Fine Grained Password Policy, which could potentially make it difficult to determine the expiration date of passwords, so the exact date of account password expirations is computed and stored in a property called msDS-UserPasswordExpiryTimeComputed that you can retrieve in OS X with a simple dscl lookup. Since this may not work in all environments, ADPassMon will fall back to the old method of looking up the information if the new method fails. Manual mode, where you enter the password expiration days, is still an option.

Other bug fixes / new features:

  • ADPassMon will wait 15 seconds after waking before running to allow network connection to be established.
  • Fixed accessibility check routine that runs on startup to add ADPassMon to list of apps allowed to control the GUI. (This is used to bring up OS X’s Change Password dialog box.)
  • Fixed Change Password GUI scripting bug by adding a 1 second delay to allow the GUI to update fully.
  • Added a connectivity check that will disable the Change Password and Refresh Kerberos Ticket menu items if the domain cannot be reached.
  • Added a note to the preferences dialog box that instructs you to hit the Enter key if you change any of the text field values.

Download the latest release here.