Terminal command to view Active Directory password age?

rcurran
Contributor

As the title states. Thanks!

10 REPLIES 10

mm2270
Legendary Contributor III

User password? Or computer password?

rcurran
Contributor

User password. Thanks

Nix4Life
Valued Contributor

I had to do something similar that was checking if a user was created or removed from AD. I used ldapsearch.

L

ryan_ball
Valued Contributor

Stolen from: https://applehelpwriter.com/2018/03/14/6228/

echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v '^_|daemon|nobody'); for i in $u; do printf \n$i\t; currentUser=$i;t=$(dscl . read /Users/"$currentUser" | grep -A1 passwordLastSetTime | grep real | awk -F'real>|</real' '{print $2}'); date -j -f %s "$t" 2> /dev/null; done

Without knowing the context of your use for it, you may have to adapt it for your needs.

mm2270
Legendary Contributor III

Second question is, are these Macs joined to AD, and are the accounts mobile AD accounts or otherwise from AD?

If the answer is yes, and if you know the domain path resource to check against, and the user account is from AD, then something like the below would work. This is extracted from a larger script that compiled a lot of info into a special menu item, from a while back. I don't use it anymore, but the script pieces still work.

#!/bin/bash

## Change daysPWValid below to a days value that your passwords need to change. For example, if they expire after 60 days, put in 60. If 90 days, put in 90, etc.
daysPWValid="60"
secsPWValid=$((60*60*24*daysPWValid))
timeNow=$(date +"%s")

## Change "ORG" in the below to the correct domain name
domainPath="/Active Directory/ORG/All Domains"

## This gets the current logged in user. Use a different method of getting the user if needed, or hard code a name in.
currentUser=$(stat -f%Su /dev/console)

## Gets the raw last password set value from AD
lastPWChangeRaw=$(dscl "$domainPath" read /Users/${currentUser} SMBPasswordLastSet | cut -d' ' -f2)

## Does calculation to get some values we need on the next password change + how many days left
if [ "$lastPWChangeRaw" != "" ]; then
    lastPWChangeTrue=$((lastPWChangeRaw/10000000-11644473600))
    nextPWChangePlusTime=$((lastPWChangeTrue+secsPWValid))
    nextPWChange=$(date -jf "%s" "$nextPWChangePlusTime" +"%Y-%m-%d %H:%M:%S")
    daysToChange=$((((nextPWChangePlusTime-timeNow))/60/60/24))
    echo "Next Password Change: ${nextPWChange}, $daysToChange Days"
else
    echo "No Last Password Set date was found."
    exit 0
fi

rcurran
Contributor

Cool. That ran cleanly @ryan.ball but the password change date for my account is incorrect.

ryan_ball
Valued Contributor

If you are looking to pull that directly from AD, you'd need to look at ldapsearch like @Nix4Life mentioned. I assume the fields using dscl are from the Mac's perspective. If you want AD Attribute values, use ldapsearch.

ryan_ball
Valued Contributor

Using ldapsearch:

#!/bin/bash

loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

domain=""                # Example: contoso.com
shortDomain=""       # Example: CONTOSO
searchBase=""         # Example OU=Users,DC=contoso,DC=com

echo -n "Enter AD Reader's Username: "
read -r ldapUser
ldapUser="$shortDomain\$ldapUser"

echo -n "Enter $ldapUser's Pass: "
read -r -s ldapPass

pwdLastSet=$(ldapsearch -LLL -h "$domain" -x -D "$ldapUser" -w "$ldapPass" -b "$searchBase"  "sAMAccountName=$loggedInUser" pwdLastSet | grep pwdLastSet | awk '{print $2}')
pwdLastSetEpoch=$(/bin/echo $((($pwdLastSet/10000000)-11644473600)))
pwdLastSetReadable=$(date -r $pwdLastSetEpoch '+%m/%d/%Y:%H:%M:%S')

echo "$loggedInUser's password last set: $pwdLastSetReadable"

exit 0

bzuckrow
New Contributor III

net user <username> /domain

mani2care
Contributor

nice this is what im looking but 1) login user password was different , AD user password was different to sync do we have any script 2) user working from home and VPN need to connect for the validation check 3) the user ID is the same in MAC login user validation required
4) no LAPS user just has a local Admin account having it.

pls help if has any script as like