Extension Attribute: Local Account Password Change Date

TJ_Edgerly
New Contributor III

Does anyone have a EA (or a script) that is able to display the date of a password change for local accounts? I'm trying to track if any of our users are changing the root password or our local admin account password after the computer is deployed.

I've seen a few for network bound accounts, but i need it run on local accounts. So far, i've pulled this:

Found Here

#!/bin/sh

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \n$i\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

I can get the full date and time, but i cant seem to get it to just show a date (time is a little more info than I need) and just clutters up the info.

8 REPLIES 8

JustDeWon
Contributor III

@TJ.Edgerly take a look at this thread..

sshort
Valued Contributor

@TJ.Edgerly I'm using Jamf's script: https://github.com/jamf/Current-User-Password-Age

And I pair that with a policy that warns users of an upcoming pw expiration.

@sshort do you still have that EA?  Looks like the old GitHub got removed.

sshort
Valued Contributor

ugh, that sucks that it's removed! I used that EA at a previous job, and I can't find it in my old notes.

It's all good we've still had no luck finding it elsewhere but if you ever do find it I'm still here haha.

This may not be exactly what you're looking for, but this script at least worked on my system when I tested it. I'm still waiting for the EA to kick in with some inventory updates, and I'll follow up more from there, but if you need this, I'll share what I've built. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\([0-9]*\).*/\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "More than 80 Days ago"
else
    echo "Less than 80 Days ago"
fi    
 
exit 0

Sorry, the script works, but not as an EA. Here's the update to have it work properly as an EA. 

 

#!/bin/bash
 
timeStamp80dBack=$(date -v-80d -u +"%s")
last_user=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
pwLastChangeEpoch=$(dscl . read /Users/${last_user} accountPolicyData | tail -n +2 | plutil -extract passwordLastSetTime xml1 -o - -- - | sed -n "s/<real>\([0-9]*\).*/\1/p")
 
if [ $pwLastChangeEpoch -lt $timeStamp80dBack ]; then
echo "<result>More than 80 Days ago</result>"
else
    echo "<result>Less than 80 Days ago</result>"
fi    
 
exit 0

TJ_Edgerly
New Contributor III

Ended up going with this:

 

#!/bin/bash

curUser=$(ls -l /dev/console | cut -d " " -f 4)
passwordAge=$(expr $(expr $(date +%s) - $(dscl . read /Users/${curUser} | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}' | awk -F'.' '{print $1}')) / 86400)
echo "<result>${passwordAge}</result>"

Not perfect, but worked for my needs.