Skip to main content
Question

Extension Attribute: Local Account Password Change Date

  • February 12, 2019
  • 8 replies
  • 67 views
T
Forum|alt.badge.img+6

Does anyone have a EA (or a script) that is able to display the date of a password change for local accounts? I'm trying to track if any of our users are changing the root password or our local admin account password after the computer is deployed.

I've seen a few for network bound accounts, but i need it run on local accounts. So far, i've pulled this:

Found Here

#!/bin/sh

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \\n$i\\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

I can get the full date and time, but i cant seem to get it to just show a date (time is a little more info than I need) and just clutters up the info.

8 replies

J
Forum|alt.badge.img+11
  • JustDeWon
  • Contributor
  • February 12, 2019

@TJ.Edgerly take a look at this thread..

S
Forum|alt.badge.img+15
  • sshort
  • Valued Contributor
  • February 12, 2019

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.

A
daniel_ross
Forum|alt.badge.img+20
  • daniel_ross
  • Jamf Heroes
  • January 6, 2022

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.


@sshort do you still have that EA?  Looks like the old GitHub got removed.

qmoreland
S
Forum|alt.badge.img+15
  • sshort
  • Valued Contributor
  • January 12, 2022

@sshort do you still have that EA?  Looks like the old GitHub got removed.


ugh, that sucks that it's removed! I used that EA at a previous job, and I can't find it in my old notes.

daniel_ross
Forum|alt.badge.img+20
  • daniel_ross
  • Jamf Heroes
  • March 17, 2022

ugh, that sucks that it's removed! I used that EA at a previous job, and I can't find it in my old notes.


It's all good we've still had no luck finding it elsewhere but if you ever do find it I'm still here haha.

A
Forum|alt.badge.img+1
  • Age_Brown
  • New Contributor
  • May 3, 2022

It's all good we've still had no luck finding it elsewhere but if you ever do find it I'm still here haha.


This may not be exactly what you're looking for, but this script at least worked on my system when I tested it. I'm still waiting for the EA to kick in with some inventory updates, and I'll follow up more from there, but if you need this, I'll share what I've built. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\\([0-9]*\\).*/\\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "More than 80 Days ago"
else
    echo "Less than 80 Days ago"
fi    
 
exit 0
A
Forum|alt.badge.img+1
  • Age_Brown
  • New Contributor
  • May 4, 2022

This may not be exactly what you're looking for, but this script at least worked on my system when I tested it. I'm still waiting for the EA to kick in with some inventory updates, and I'll follow up more from there, but if you need this, I'll share what I've built. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\\([0-9]*\\).*/\\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "More than 80 Days ago"
else
    echo "Less than 80 Days ago"
fi    
 
exit 0

Sorry, the script works, but not as an EA. Here's the update to have it work properly as an EA. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\\([0-9]*\\).*/\\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "<result>More than 80 Days ago</result>"
else
    echo "<result>Less than 80 Days ago</result>"
fi    
 
exit 0
T
Forum|alt.badge.img+6
  • TJ_Edgerly
  • Author
  • Contributor
  • May 4, 2022

Ended up going with this:

 

#!/bin/bash curUser=$(ls -l /dev/console | cut -d " " -f 4) passwordAge=$(expr $(expr $(date +%s) - $(dscl . read /Users/${curUser} | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}' | awk -F'.' '{print $1}')) / 86400) echo "<result>${passwordAge}</result>"

Not perfect, but worked for my needs.

J
qmoreland
J
Terms & ConditionsCookie settingsAccessibility statement