Skip to main content
Question

Terminal command to view Active Directory password age?


Forum|alt.badge.img+10

As the title states. Thanks!

10 replies

mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • December 19, 2018

User password? Or computer password?


Forum|alt.badge.img+10
  • Author
  • Contributor
  • 66 replies
  • December 19, 2018

User password. Thanks


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • December 19, 2018

I had to do something similar that was checking if a user was created or removed from AD. I used ldapsearch.

L


Forum|alt.badge.img+18
  • Contributor
  • 475 replies
  • December 19, 2018

Stolen from: https://applehelpwriter.com/2018/03/14/6228/

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \\n$i\\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

Without knowing the context of your use for it, you may have to adapt it for your needs.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • December 19, 2018

Second question is, are these Macs joined to AD, and are the accounts mobile AD accounts or otherwise from AD?

If the answer is yes, and if you know the domain path resource to check against, and the user account is from AD, then something like the below would work. This is extracted from a larger script that compiled a lot of info into a special menu item, from a while back. I don't use it anymore, but the script pieces still work.

#!/bin/bash

## Change daysPWValid below to a days value that your passwords need to change. For example, if they expire after 60 days, put in 60. If 90 days, put in 90, etc.
daysPWValid="60"
secsPWValid=$((60*60*24*daysPWValid))
timeNow=$(date +"%s")

## Change "ORG" in the below to the correct domain name
domainPath="/Active Directory/ORG/All Domains"

## This gets the current logged in user. Use a different method of getting the user if needed, or hard code a name in.
currentUser=$(stat -f%Su /dev/console)

## Gets the raw last password set value from AD
lastPWChangeRaw=$(dscl "$domainPath" read /Users/${currentUser} SMBPasswordLastSet | cut -d' ' -f2)

## Does calculation to get some values we need on the next password change + how many days left
if [ "$lastPWChangeRaw" != "" ]; then
    lastPWChangeTrue=$((lastPWChangeRaw/10000000-11644473600))
    nextPWChangePlusTime=$((lastPWChangeTrue+secsPWValid))
    nextPWChange=$(date -jf "%s" "$nextPWChangePlusTime" +"%Y-%m-%d %H:%M:%S")
    daysToChange=$((((nextPWChangePlusTime-timeNow))/60/60/24))
    echo "Next Password Change: ${nextPWChange}, $daysToChange Days"
else
    echo "No Last Password Set date was found."
    exit 0
fi

Forum|alt.badge.img+10
  • Author
  • Contributor
  • 66 replies
  • December 19, 2018

Cool. That ran cleanly @ryan.ball but the password change date for my account is incorrect.


Forum|alt.badge.img+18
  • Contributor
  • 475 replies
  • December 19, 2018

If you are looking to pull that directly from AD, you'd need to look at ldapsearch like @Nix4Life mentioned. I assume the fields using dscl are from the Mac's perspective. If you want AD Attribute values, use ldapsearch.


Forum|alt.badge.img+18
  • Contributor
  • 475 replies
  • December 19, 2018

Using ldapsearch:

#!/bin/bash

loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

domain=""                # Example: contoso.com
shortDomain=""       # Example: CONTOSO
searchBase=""         # Example OU=Users,DC=contoso,DC=com

echo -n "Enter AD Reader's Username: "
read -r ldapUser
ldapUser="$shortDomain\\$ldapUser"

echo -n "Enter $ldapUser's Pass: "
read -r -s ldapPass

pwdLastSet=$(ldapsearch -LLL -h "$domain" -x -D "$ldapUser" -w "$ldapPass" -b "$searchBase"  "sAMAccountName=$loggedInUser" pwdLastSet | grep pwdLastSet | awk '{print $2}')
pwdLastSetEpoch=$(/bin/echo $((($pwdLastSet/10000000)-11644473600)))
pwdLastSetReadable=$(date -r $pwdLastSetEpoch '+%m/%d/%Y:%H:%M:%S')

echo "$loggedInUser's password last set: $pwdLastSetReadable"

exit 0

Forum|alt.badge.img+6
  • Contributor
  • 24 replies
  • December 31, 2018

net user <username> /domain


mani2care
Forum|alt.badge.img+7
  • Contributor
  • 82 replies
  • December 21, 2020

nice this is what im looking but 1) login user password was different , AD user password was different to sync do we have any script 2) user working from home and VPN need to connect for the validation check 3) the user ID is the same in MAC login user validation required
4) no LAPS user just has a local Admin account having it.

pls help if has any script as like


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings