Help

Extension Attribute: Local Account Password Change Date

TJ_Edgerly
New Contributor III

Posted on ‎02-12-2019 01:13 PM

Does anyone have a EA (or a script) that is able to display the date of a password change for local accounts? I'm trying to track if any of our users are changing the root password or our local admin account password after the computer is deployed.

I've seen a few for network bound accounts, but i need it run on local accounts. So far, i've pulled this:

Found Here

#!/bin/sh

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \n$i\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

I can get the full date and time, but i cant seem to get it to just show a date (time is a little more info than I need) and just clutters up the info.

Labels:
0 Kudos
Reply
8 REPLIES 8

JustDeWon
Contributor III

Posted on ‎02-12-2019 01:19 PM

@TJ.Edgerly take a look at this thread..

0 Kudos
Reply

sshort
Valued Contributor

Posted on ‎02-12-2019 01:42 PM

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.

Reply

daniel_ross
Contributor III
In response to sshort

Posted on ‎01-06-2022 02:06 PM

@sshort do you still have that EA?  Looks like the old GitHub got removed.

Reply

sshort
Valued Contributor
In response to daniel_ross

Posted on ‎01-12-2022 09:01 AM

ugh, that sucks that it's removed! I used that EA at a previous job, and I can't find it in my old notes.

0 Kudos
Reply

daniel_ross
Contributor III
In response to sshort

Posted on ‎03-16-2022 10:50 PM

It's all good we've still had no luck finding it elsewhere but if you ever do find it I'm still here haha.

0 Kudos
Reply

Age_Brown
New Contributor II
In response to daniel_ross

Posted on ‎05-03-2022 03:48 PM

This may not be exactly what you're looking for, but this script at least worked on my system when I tested it. I'm still waiting for the EA to kick in with some inventory updates, and I'll follow up more from there, but if you need this, I'll share what I've built. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\([0-9]*\).*/\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "More than 80 Days ago"
else
    echo "Less than 80 Days ago"
fi    
 
exit 0
0 Kudos
Reply

Age_Brown
New Contributor II
In response to Age_Brown

Posted on ‎05-04-2022 07:46 AM

Sorry, the script works, but not as an EA. Here's the update to have it work properly as an EA. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\([0-9]*\).*/\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "<result>More than 80 Days ago</result>"
else
    echo "<result>Less than 80 Days ago</result>"
fi    
 
exit 0
0 Kudos
Reply

TJ_Edgerly
New Contributor III

Posted on ‎05-04-2022 07:51 AM

Ended up going with this:

 

#!/bin/bash

curUser=$(ls -l /dev/console | cut -d " " -f 4)
passwordAge=$(expr $(expr $(date +%s) - $(dscl . read /Users/${curUser} | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}' | awk -F'.' '{print $1}')) / 86400)
echo "<result>${passwordAge}</result>"

Not perfect, but worked for my needs.

Reply