Terminal command to view Active Directory password age?

User password? Or computer password?

User password. Thanks

I had to do something similar that was checking if a user was created or removed from AD. I used ldapsearch.

L

Stolen from: https://applehelpwriter.com/2018/03/14/6228/

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \\n$i\\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

Without knowing the context of your use for it, you may have to adapt it for your needs.

Second question is, are these Macs joined to AD, and are the accounts mobile AD accounts or otherwise from AD?

If the answer is yes, and if you know the domain path resource to check against, and the user account is from AD, then something like the below would work. This is extracted from a larger script that compiled a lot of info into a special menu item, from a while back. I don't use it anymore, but the script pieces still work.

#!/bin/bash



## Change daysPWValid below to a days value that your passwords need to change. For example, if they expire after 60 days, put in 60. If 90 days, put in 90, etc.

daysPWValid="60"

secsPWValid=$((60*60*24*daysPWValid))

timeNow=$(date +"%s")



## Change "ORG" in the below to the correct domain name

domainPath="/Active Directory/ORG/All Domains"



## This gets the current logged in user. Use a different method of getting the user if needed, or hard code a name in.

currentUser=$(stat -f%Su /dev/console)



## Gets the raw last password set value from AD

lastPWChangeRaw=$(dscl "$domainPath" read /Users/${currentUser} SMBPasswordLastSet | cut -d' ' -f2)



## Does calculation to get some values we need on the next password change + how many days left

if [ "$lastPWChangeRaw" != "" ]; then

    lastPWChangeTrue=$((lastPWChangeRaw/10000000-11644473600))

    nextPWChangePlusTime=$((lastPWChangeTrue+secsPWValid))

    nextPWChange=$(date -jf "%s" "$nextPWChangePlusTime" +"%Y-%m-%d %H:%M:%S")

    daysToChange=$((((nextPWChangePlusTime-timeNow))/60/60/24))

    echo "Next Password Change: ${nextPWChange}, $daysToChange Days"

else

    echo "No Last Password Set date was found."

    exit 0

fi

Cool. That ran cleanly @ryan.ball but the password change date for my account is incorrect.

If you are looking to pull that directly from AD, you'd need to look at ldapsearch like @Nix4Life mentioned. I assume the fields using dscl are from the Mac's perspective. If you want AD Attribute values, use ldapsearch.

Using ldapsearch:

#!/bin/bash



loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "

");')



domain=""                # Example: contoso.com

shortDomain=""       # Example: CONTOSO

searchBase=""         # Example OU=Users,DC=contoso,DC=com



echo -n "Enter AD Reader's Username: "

read -r ldapUser

ldapUser="$shortDomain\\$ldapUser"



echo -n "Enter $ldapUser's Pass: "

read -r -s ldapPass



pwdLastSet=$(ldapsearch -LLL -h "$domain" -x -D "$ldapUser" -w "$ldapPass" -b "$searchBase"  "sAMAccountName=$loggedInUser" pwdLastSet | grep pwdLastSet | awk '{print $2}')

pwdLastSetEpoch=$(/bin/echo $((($pwdLastSet/10000000)-11644473600)))

pwdLastSetReadable=$(date -r $pwdLastSetEpoch '+%m/%d/%Y:%H:%M:%S')



echo "$loggedInUser's password last set: $pwdLastSetReadable"



exit 0

net user <username> /domain

nice this is what im looking but
1) login user password was different , AD user password was different to sync do we have any script
2) user working from home and VPN need to connect for the validation check
3) the user ID is the same in MAC login user validation required
4) no LAPS user just has a local Admin account having it.

pls help if has any script as like