I don't have a bound machine but if you give me what that returns I'm sure I can show you how to convert it.

Our AD passwords expire every 90 days and I have an Extension Attribute that reports on the number of days up until the last two weeks of expiration.

#!/bin/bash
pwPolicy=90
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
lastpwdMS=`dscl localhost read /Active Directory/<DOMAIN>/All Domains/Users/$user | grep SMBPasswordLastSet  | cut -d' ' -f 2`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
if [[ "$daysremaining" -gt 0 && "$daysremaining" -lt "15" ]]; then
echo "<result>2 Weeks</result>";
else
echo "<result>$daysremaining</result>";
fi

@iJake the results is as follows:
SMBPasswordLastSet: 131426115105227560

@daniel.behan Thanks that is useful, but what I really need is the date the password was last changed to be visible.

If you have access to a bound Windows PC or VM, you can use the Account Lockout Status tool to find that for any AD accounts. I use this on a daily basis. The Last Password Set column displays time and date. It works well as long as your AD account is privileged to see that kind of info for other users. You may need to work with your AD administrators to get your AD permissions right.

#!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet)

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

Add the parts where you figure out domain and username. You can play with formatting of how you want the date outputted. Here is a guide for the BSD date command.

@iJake Thanks. I'm getting an error on the second command.

line 5: (SMBPasswordLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ": 131426115105227560/10000000)-11644473600")

I can confirm that the first command is working by commenting out the rest and echoing the first variable.

I dont see any obvious syntax errors.

Paste your copy of the whole script.

The only edit is the domain name. note that the number in the erro is the correct result of the pwdLastSet command.

!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME" -read /Users/ssavarese pwdLastSet)

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

Run the script in debug mode (bash -x /PATH/TO/SCRIPT) and then paste the output. Try to use the code markdown tag too so it's easier to read.

+ dscl '/Active Directory/DOMAINNAME' -read /Users/ssavarese pwdLastSet
adPwdLastSetNT='dsAttrTypeNative:pwdLastSet: 131426115105227560'
/Users/ssavarese/Desktop/passworddate.sh: line 5: (dsAttrTypeNative:pwdLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ":pwdLastSet: 131426115105227560/10000000)-11644473600")
adPwdLastSetHuman=
echo

I don't know how to use the code markdown tag. Sorry, Im not a developer, but I follow instructions well if you want to tell me how :)

You rock! Thanks for taking the time to help me @iJake

This will be a very useful tool for me. Very much appreciated.

Glad to help, @ssavarese