macOSLAPS - GitHub Project

macOSLAPS - GitHub Project

2016, Jul 12    

This morning I published my macOSLAPS project. This python script will allow your machine to contact Active Directory and determine if the local administrator password expiration time has passed. If it has passed then the password will be changed to something random and published back to Active Directory.

To perform this I have chosen to use Python and make use of subprocess to use the native macOS Directory Utility. This means that when ran as root the authentication to active directory is done using the computer account which can only access its own attributes. We will be changing the ms-MCS-AdmPwd by reading in ms-Mcs-AdmPwdExpirationTime. We will also convert the time from "Windows NT" time to Epoch Time and finally a timestamp. If the password is changed then we will write a time back to AD based off your specification.

Settings for this script are stored in /Library/Preferences/edu.psu.macOSLAPS.plist. This also means that you can utilize your own MDM service and use /Library/Managed Preferences. The default values are:

LocalAdminAccount - 'admin'
PasswordLength - 8
DaysTillExpiration - 60

I have tested this with my Active Directory and the results have been pretty decent however I have published the code so that others can test the script in their environment as I would like to share this with everyone I can. Please head over to and give a it a try.