ADPassMon updated to v1.11.4

Download the latest release on GitHub.

New feature:

This version introduces a user-configurable check interval. You can adjust the check interval anywhere from 1 to 24 hours.


Bug fixes:

ADPassMon is designed to poll AD for password expiration info immediately upon launch, 15 seconds after the computer wakes from sleep, and/or every x hours as determined by the check interval. Blog commenter Andy May let me know that the automatic expiration check was not working properly. This release fixes that bug.

ADPassMon v1.11.0 pre-release — please test

This pre-release contains a few significant changes, so I need your help testing it to make sure I haven’t inadvertently broken anything…

I have significantly changed how ADPassMon gets password expiration values. With Windows Server 2008, MS introduced Fine Grained Password Policy, which could potentially make it difficult to determine the expiration date of passwords, so the exact date of account password expirations is computed and stored in a property called msDS-UserPasswordExpiryTimeComputed that you can retrieve in OS X with a simple dscl lookup. Since this may not work in all environments, ADPassMon will fall back to the old method of looking up the information if the new method fails. Manual mode, where you enter the password expiration days, is still an option.

I’ve also added a connectivity check that will disable the Change Password and Refresh Kerberos Ticket menu items if the domain cannot be reached.

Lastly, in addition to a few cosmetic changes, I have added a note to the preferences dialog box that instructs you to hit the Enter key if you change any of the text field values.

Download the pre-release here, and please let me know how this version works for you by either commenting here or at github.

UPDATE: Link now points to the b2 release which adds a 15-second delay upon computer wake before ADPassMon runs its checks.

ADPassMon updated to 1.10.3

This release fixes a long-standing assumption (bug??). Until now, ADPassMon has assumed that your Mac’s primary DNS server is also an Active Directory server that can answer LDAP queries. With this release, AD LDAP server information is retrieved using the ‘dsconfigad’ and ‘dig’ commands. Specifically, the AD domain is retrieved using this command

dsconfigad -show | awk '/Active Directory Domain/{print $NF}'

and the output of this command is used in the following dig command

dig -t srv _ldap._tcp.DOMAIN | /usr/bin/awk '/^_ldap/{print $NF}'

Also new with this release:

I will now be hosting ADPassMon releases on GitHub instead of Dropbox. Please visit my ADPassMon releases page to download version 1.10.3.

ADPassMon has been forked!

A little over a month ago, a fellow from the UK contacted me about adding a few features to ADPassMon. We sent a some emails back and forth and he decided to fork my ADPassMon github repo and take a stab at modifying my code himself. He has just released his project as ADPassMon v2. I gave him a few pointers along the way, but all new features that differentiate it from my project are entirely his own work. I’m frankly impressed with how quickly he was able to wrap his head around AppleScript ObjC and achieve his feature goals.

If you are a current ADPassMon user, I encourage you to take a look at his detailed write-up and see if his fork will fit your environment better.

ADPassMon updated to 1.9.3

It’s bug-squashing season, apparently. This release is brought to you by Joe Pfeifer, who reported a bug with ADPassMon’s handling of the pwPolicy setting. This bug was interfering with ADPassMon’s ability to bring up the Change Password dialog. This should now work correctly, whether or not you have configured the pwPolicy setting.

Download version 1.9.3 here.

Tool: Get the path to an Active Directory user home

automator_iconWhen you need to look up the path to an Active Directory user’s home directory, there are a few ways to get the information:

That last bullet point is the most convenient way, particularly because I’m about to tell you how to do it. We’ll use Automator to create a Service that uses AppleScript to get the home directory location of a username via a dscl query, and show the path in a dialog box in both Mac and Windows-friendly formats. As a bonus, we’ll let either of the paths be copied to the clipboard for easy pasting.

Before you start, I should note that this will only work on Macs that meet the following requirements:

  • running Mac OS 10.6 or later
  • bound to Active Directory

Sound good? Let’s begin.

Note: If you want to skip the tutorial, you can download the completed Automator service here, unzip it, and drop it into your ~/Library/Services folder. To use it, right-click on a username – it has to be showing in a Mac app somewhere as selectable text – then select Get AD Home from the pop-up menu or its Services submenu. Continue reading

Make Your Own URL Protocol and Handler

One of the people I follow on twitter recently posted the following:

It would be really useful for helpdesk if you could link to various OS X system elements, hyperlink style. Like System Preferences, etc.

That got me thinking. I know that apps can register themselves as handlers for certain url types. Panic’s Transmit, for example, can handle ftp urls: if you type “” into Safari, Panic will launch and try to connect to that URL. Since the pros can do it, I figured it would be possible to create a new url protocol name so that if I typed “syspref://Network” into Safari, a simple app could parse that URL and tell System Preferences to open directly to the Network pane.

Turns out I was right. With the help of this page on, here’s how I did it. Continue reading