Quick Summary and Features
ADPassMon is a small menu bar application that shows the number of days remaining until your Active Directory password expires. ADPassMon features:
- support for Mac OS X 10.6 through 10.11
- optional Growl or Notification Center alerts with adjustable warning period
- integrated Kerberos ticket renewal
- Change Password menu item, with optional password requirements reminder
- offline functionality via cached expiry information
- MCX support for ease of administration
This software is released under the MIT license.
Read enough? Download the correct version for your operating system:
Mac OS X 10.8 or newer (tested up through OS X 10.11)
Want to know more? Read on for the full story.
Most Active Directory sites require users to change their passwords at regular intervals – such as every 30, 60, 90, or 180 days. Unless you write your password expiration date on a calendar or set some other sort of reminder, it’s possible that your password will expire before you’ve had a chance to change it.
Mac OS X’s AD integration has come a long way in mitigating this issue. Since Mac OS 10.4, users with impending password expirations will be notified when they log in. If their password is set to expire within 24 hours, they will be forced to change their password before being allowed to log in. Administrators can adjust how long before password expiration to start showing these login screen warnings. This is not a foolproof solution, though. If you’re the kind of person who doesn’t regularly log out of your computer, you might go weeks without visiting the login screen, completely missing the warning period. If you can’t count on your operating system to keep you informed regardless of your use habits, what can you do?
ADPassMon, short for Active Directory Password Monitor, is a utility that solves this issue by providing up-to-date password expiration information at a glance. It places an item in the menu bar that shows the number of days remaining until the password expires, simply and unobtrusively. Here it is on the left.
Hovering your cursor over the icon reveals more precise information in a tooltip.
Clicking on the menu item reveals some additional features, which I’ll discuss further below.
Selecting the Preferences item reveals the program’s configuration options. Note the message area at the top of the window. It will normally display the full password expiration information, but if can also display errors or other messages affecting use of the application.
Auto or Manual Mode
By default, ADPassMon attempts to automatically acquire all the information it needs to calculate your password expiration information. This will not work in all environments, so the option to set the maximum password age manually is provided. If Auto mode results in an incorrect or negative password expiration value, then you should use Manual mode and provide your site’s maximum password age in days.
Growl / Notification Center Alerts
If you have Growl installed or use OS X 10.8 with Notifcation Center, ADPassMon can optionally send you notifications of impending password expirations. Check the Enable Notifications box and enter the number of days before the password expires that you want the warnings to start appearing. Warnings will appear every 12 hours after the threshold is reached. Each warning will resemble the following:
ADPassMon can also acquire and/or renew Kerberos tickets for you. In OS 10.6, Apple buried the graphical Kerberos ticket management tool — Ticket Viewer.app — inside the /System/Library/CoreServices folder. ADPassMon lets you request a new ticket or renew an existing ticket right from its menu. (A Kerberos ticket is required if you’re using Auto mode, so you’ll be prompted to obtain a ticket if you launch ADPassMon and don’t have a ticket.) This menu item will be disabled if the app cannot communicate with your AD domain.
KerbMinder Integration (only in v1.10.0+)
If you have KerbMinder installed, ADPassMon will show an extra menu option that lets you enable and disable it.
Change Password Shortcut
ADPassMon’s menu provides a shortcut to Mac OS X’s standard password change interface. When you select it, System Preferences will automatically launch and show you the standard password change window.
This feature requires that ADPassMon be allowed to control the GUI in the Security & Privacy pref pane’s Accessibility settings. If it is not enabled, users with administrator access will be prompted to enable it when the program first launches.
Skip Accessibility Option Check
If you want to keep the Accessibility setup dialog box from appearing when your users first run ADPassMon, you can set the accTest preference value to 0 to disable it.
defaults write org.pmbuko.ADPassMon accTest 0
Password Policy Reminder
If you are an administrator and need an easy way to remind your users of your organization’s password complexity requirements, you can enable the password policy reminder feature by defining a pwPolicy key in ADPassMon’s plist file. You can do this either by editing the plist file directly with a plist editor (Xcode works well for this), or by setting the content of the reminder message in the terminal as follows:
defaults write org.pmbuko.ADPassMon pwPolicy "Your password requirement message goes here."
The password policy reminder dialog button’s default text is “OK”, but you can change it as follows:
defaults write org.pmbuko.ADPassMon pwPolicyButton "I understand"
When the pwPolicy value is set, a policy reminder alert like the one below will appear when you select Change Password from the ADPassMon menu. You must click the single button before you can change your password.
If you’re an administrator and wish to deploy this utility to your Macs, you can disable access to the Preferences window by adding a prefsLocked key and setting its value to true in the org.pmbuko.ADPassMon.plist. You can do this via MCX, or manually by entering this command in the terminal:
defaults write org.pmbuko.ADPassMon prefsLocked true
Users will still be able to enable or disable Growl/Notification Center alerts via the menu option.
If you’re experiencing trouble with ADPassMon, you can clear the settings and return the application to defaults by selecting the Reset tab in the Preferences window and clicking the Revert to Defaults button.
I have many people to thank for making this application possible.
- Jonathan Nathan, of JNSoftware, for providing sample code for a menu app written in AppleScript ObjectiveC
- Shane Stanley, for his excellent eBook, AppleScriptObjC Explored
- Andrew Thomson, for his work on the Password Monitor app on which ADPassMon is based
- John Welch, for recommending Shane’s book and inspiring me to start learning AppleScriptObjC
Last but not least, I give my sincere thanks to my beta testers: Joe Chilcote, Brian LaShomb, Joel Moses, Rusty Myers, Stephen Rayda, Tom Rodgers, and especially Rich Trouton. This app would have been less useful without their help.
This software is released under the terms of the MIT license.
Copyright (C) 2015 by Peter Bukowinski
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.