Extension Attribute: Local Account Password Change Date

Does anyone have a EA (or a script) that is able to display the date of a password change for local accounts? I'm trying to track if any of our users are changing the root password or our local admin account password after the computer is deployed.

I've seen a few for network bound accounts, but i need it run on local accounts. So far, i've pulled this:

Found Here

#!/bin/sh



echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \\n$i\\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

I can get the full date and time, but i cant seem to get it to just show a date (time is a little more info than I need) and just clutters up the info.

Page 1 / 1

@TJ.Edgerly take a look at this thread..

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.

@sshort do you still have that EA? Looks like the old GitHub got removed.

ugh, that sucks that it's removed! I used that EA at a previous job, and I can't find it in my old notes.

It's all good we've still had no luck finding it elsewhere but if you ever do find it I'm still here haha.

This may not be exactly what you're looking for, but this script at least worked on my system when I tested it. I'm still waiting for the EA to kick in with some inventory updates, and I'll follow up more from there, but if you need this, I'll share what I've built.

#!/bin/bash

timeStamp80dBack=$(date -v-80d -u +"%s")

last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name

&& ! /loginwindow/ { print $3 }' )

pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\$[0-9]*\$.*/\\1/p")

if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then

echo "More than 80 Days ago"

else

echo "Less than 80 Days ago"

exit 0

#!/bin/bash

timeStamp80dBack=$(date -v-80d -u +"%s")

last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name

&& ! /loginwindow/ { print $3 }' )

pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\$[0-9]*\$.*/\\1/p")

if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then

echo "More than 80 Days ago"

else

echo "Less than 80 Days ago"

exit 0

Sorry, the script works, but not as an EA. Here's the update to have it work properly as an EA.

#!/bin/bash

timeStamp80dBack=$(date -v-80d -u +"%s")

last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name

&& ! /loginwindow/ { print $3 }' )

pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\$[0-9]*\$.*/\\1/p")

if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then

echo "<result>More than 80 Days ago</result>"

else

echo "<result>Less than 80 Days ago</result>"

exit 0

Ended up going with this:

#!/bin/bash



curUser=$(ls -l /dev/console | cut -d " " -f 4)

passwordAge=$(expr $(expr $(date +%s) - $(dscl . read /Users/${curUser} | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}' | awk -F'.' '{print $1}')) / 86400)

echo "<result>${passwordAge}</result>"

Not perfect, but worked for my needs.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded