I'm trying to figure out a 'one line' command for this.
On windows I could:
net user username /domain
and it shows up in the results in human format
On the mac I can do this:
dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet
but the format is in nanoseconds. I don't know how to convert it to a real date. Can anyone assist?
I don't have a bound machine but if you give me what that returns I'm sure I can show you how to convert it.
Our AD passwords expire every 90 days and I have an Extension Attribute that reports on the number of days up until the last two weeks of expiration.
#!/bin/bash
pwPolicy=90
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
lastpwdMS=`dscl localhost read /Active Directory/<DOMAIN>/All Domains/Users/$user | grep SMBPasswordLastSet | cut -d' ' -f 2`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
if [[ "$daysremaining" -gt 0 && "$daysremaining" -lt "15" ]]; then
echo "<result>2 Weeks</result>";
else
echo "<result>$daysremaining</result>";
fi@iJake the results is as follows:
SMBPasswordLastSet: 131426115105227560
@daniel.behan
Thanks that is useful, but what I really need is the date the password was last changed to be visible.
If you have access to a bound Windows PC or VM, you can use the Account Lockout Status tool to find that for any AD accounts. I use this on a daily basis. The Last Password Set column displays time and date. It works well as long as your AD account is privileged to see that kind of info for other users. You may need to work with your AD administrators to get your AD permissions right.
#!/bin/bash
adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet)
adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")
echo $adPwdLastSetHumanAdd the parts where you figure out domain and username. You can play with formatting of how you want the date outputted. Here is a guide for the BSD date command.
@iJake
Thanks. I'm getting an error on the second command.
line 5: (SMBPasswordLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ": 131426115105227560/10000000)-11644473600")
I can confirm that the first command is working by commenting out the rest and echoing the first variable.
I dont see any obvious syntax errors.
Paste your copy of the whole script.
The only edit is the domain name. note that the number in the erro is the correct result of the pwdLastSet command.
adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME" -read /Users/ssavarese pwdLastSet)
adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")
echo $adPwdLastSetHuman
Run the script in debug mode (bash -x /PATH/TO/SCRIPT) and then paste the output. Try to use the code markdown tag too so it's easier to read.
+ dscl '/Active Directory/DOMAINNAME' -read /Users/ssavarese pwdLastSet
adPwdLastSetNT='dsAttrTypeNative:pwdLastSet: 131426115105227560'
/Users/ssavarese/Desktop/passworddate.sh: line 5: (dsAttrTypeNative:pwdLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ":pwdLastSet: 131426115105227560/10000000)-11644473600")
adPwdLastSetHuman=
echo
I don't know how to use the code markdown tag. Sorry, Im not a developer, but I follow instructions well if you want to tell me how :)
The markdown tags are right above where you type in your message.
I see the problem, didn't expect the result to not just be the number.
#!/bin/bash
adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet | awk '{print $NF}')
adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")
echo $adPwdLastSetHumanYou rock! Thanks for taking the time to help me @iJake
This will be a very useful tool for me. Very much appreciated.
Glad to help, @ssavarese
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.