Get the date when user last changed AD password

ssavarese
New Contributor III

I'm trying to figure out a 'one line' command for this.

On windows I could:
net user username /domain
and it shows up in the results in human format

On the mac I can do this:
dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet
but the format is in nanoseconds. I don't know how to convert it to a real date. Can anyone assist?

1 ACCEPTED SOLUTION

iJake
Valued Contributor

The markdown tags are right above where you type in your message.

I see the problem, didn't expect the result to not just be the number.

#!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet | awk '{print $NF}')

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

View solution in original post

13 REPLIES 13

iJake
Valued Contributor

I don't have a bound machine but if you give me what that returns I'm sure I can show you how to convert it.

daniel_behan
Contributor III

Our AD passwords expire every 90 days and I have an Extension Attribute that reports on the number of days up until the last two weeks of expiration.

#!/bin/bash
pwPolicy=90
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
lastpwdMS=`dscl localhost read /Active Directory/<DOMAIN>/All Domains/Users/$user | grep SMBPasswordLastSet  | cut -d' ' -f 2`
todayUnix=`date "+%s"`
lastpwdUnix=`expr $lastpwdMS / 10000000 - 11644473600`
diffUnix=`expr $todayUnix - $lastpwdUnix`
diffdays=`expr $diffUnix / 86400`
daysremaining=`expr $pwPolicy - $diffdays`
if [[ "$daysremaining" -gt 0 && "$daysremaining" -lt "15" ]]; then
echo "<result>2 Weeks</result>";
else
echo "<result>$daysremaining</result>";
fi

ssavarese
New Contributor III

@iJake the results is as follows:
SMBPasswordLastSet: 131426115105227560

@daniel.behan Thanks that is useful, but what I really need is the date the password was last changed to be visible.

AVmcclint
Honored Contributor

If you have access to a bound Windows PC or VM, you can use the Account Lockout Status tool to find that for any AD accounts. I use this on a daily basis. The Last Password Set column displays time and date. It works well as long as your AD account is privileged to see that kind of info for other users. You may need to work with your AD administrators to get your AD permissions right.

iJake
Valued Contributor
#!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet)

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

Add the parts where you figure out domain and username. You can play with formatting of how you want the date outputted. Here is a guide for the BSD date command.

ssavarese
New Contributor III

@iJake Thanks. I'm getting an error on the second command.

line 5: (SMBPasswordLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ": 131426115105227560/10000000)-11644473600")

I can confirm that the first command is working by commenting out the rest and echoing the first variable.

I dont see any obvious syntax errors.

iJake
Valued Contributor

Paste your copy of the whole script.

ssavarese
New Contributor III

The only edit is the domain name. note that the number in the erro is the correct result of the pwdLastSet command.

!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME" -read /Users/ssavarese pwdLastSet)

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

iJake
Valued Contributor

Run the script in debug mode (bash -x /PATH/TO/SCRIPT) and then paste the output. Try to use the code markdown tag too so it's easier to read.

ssavarese
New Contributor III

+ dscl '/Active Directory/DOMAINNAME' -read /Users/ssavarese pwdLastSet
adPwdLastSetNT='dsAttrTypeNative:pwdLastSet: 131426115105227560'
/Users/ssavarese/Desktop/passworddate.sh: line 5: (dsAttrTypeNative:pwdLastSet: 131426115105227560/10000000)-11644473600: missing `)' (error token is ":pwdLastSet: 131426115105227560/10000000)-11644473600")
adPwdLastSetHuman=
echo

I don't know how to use the code markdown tag. Sorry, Im not a developer, but I follow instructions well if you want to tell me how :)

iJake
Valued Contributor

The markdown tags are right above where you type in your message.

I see the problem, didn't expect the result to not just be the number.

#!/bin/bash

adPwdLastSetNT=$(dscl "/Active Directory/DOMAINNAME/" -read /Users/USERNAME pwdLastSet | awk '{print $NF}')

adPwdLastSetHuman=$(date -j -f "%s" "$((($adPwdLastSetNT/10000000)-11644473600))" "+%x %X")

echo $adPwdLastSetHuman

ssavarese
New Contributor III

You rock! Thanks for taking the time to help me @iJake

This will be a very useful tool for me. Very much appreciated.

iJake
Valued Contributor

Glad to help, @ssavarese