How to change password expiration warning intervals in OS X

Binding to an Active Directory or Open Directory domain is done in many work environments to centralize computing usage policies and increase network security. One of the common policies that may be enforced by Active or Open Directory domains is that passwords will need to be changed every so often.

When this happens, the system will warn you in advance of when the password is going to expire, and in some cases you might be bugged continually if the password expiration warning is set at an interval that is close to the domain’s requirement for password changes.

For instance, if a domain requires passwords to be changed every 30 days and if the system is set to warn you of the password change 20 days in advance, then regardless of when you change your password, the system will start bugging you for a password change every 10 days.

One option to fix this is to have your IT department change the password requirement policy; however, as many people working in corporations have found, when it comes to security measures, IT departments can be as stubborn and restrictive as it gets.

The second option is to change the settings on your computer for when the password expiration warning is to be displayed. This setting is stored in the login window preferences, and can be set by editing the “com.apple.loginwindow.plist” file located in the /Macintosh HD/Library/Preferences/ folder, which can be done by using a text editor that supports authentication (such as TextWrangler), or by using the “defaults” command as follows in the Terminal:

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays NUMBER

In this command (run in adminsitrative mode by using “sudo”), “NUMBER” is any number greater than 0, which will be the number of days prior to the password expiration date where the system will begin warning you of the impending expiration.

If you are currently logged in under a standard managed user account and wish to run the Terminal command above, the use of “sudo” by itself will not be enough since managed user accounts are not capable of running with administrative privileges and therefore will not be allowed to use the “sudo” command. In this case you will first need to know the credentials of an administrative account and then log into the terminal as that user with the following command:

su USERNAME

In this command, the “USERNAME” is the short name of an administrator account for the local system, and pressing enter will prompt you for the password for that account. From here you can run the command beginning with “sudo” above to change the password expiration warning times.

Keep in mind that this will require you to have administrative access to your system, which many IT departments restrict for security purposes. Therefore unless you have an admin login and password, you might need to have an IT technician change the warning settings for your system.