+9I have an EA to pull in the accountExpires ldap attribute. The format is unreadable and I want to convert to human readable format. Then I want a smart group to catch users with PW expiring within a few days. Here is a link to bash script I fount to convert the number.
What is the best approach to this? Pipe the output from the EA into the Bash script?
Thank you for any ideas in advance.
+7We use the following:
This Extension Attribute is designed to return the number of days remaining until Active Directory password expiration.
So you would need to change # Current password change policy to suit your environment.
#!/bin/bash
# Logged in user
LoggedInUser=`ls -l /dev/console | awk '{ print $3 }'`
# Current password change policy
PasswdPolicy=90
# Last password set date
LastPasswordSet=`dscl /Active Directory/CORP/All Domains/ read /Users//$LoggedInUser SMBPasswordLastSet | awk '{print $2}'`
# Calculations
LastPasswordCalc1=`expr $LastPasswordSet / 10000000 - 1644473600`
LastPasswordCalc2=`expr $LastPasswordCalc1 - 10000000000`
TimeStampToday=`date +%s`
TimeSinceChange=`expr $TimeStampToday - $LastPasswordCalc2`
DaysSinceChange=`expr $TimeSinceChange / 86400`
DaysRemaining=`expr $PasswdPolicy - $DaysSinceChange`
echo "<result>$DaysRemaining</result>"
exit 0Taken from: https://www.jamf.com/jamf-nation/discussions/10347/creating-an-ad-password-expiration-date-extension-attribute
+9Thank you sdunbar. I missed that post. It worked for me after I figured the right format for my domain. This will help me bridge the gap until Apple Professional Services give us the EC agent.
I was inserting our name in CORP incorrectly. Once i got it right I was good to go. dscl /Active Directory/CORP/All Domains/ read /Users//$LoggedInUser SMBPasswordLastSet | awk '{print $2}'
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.