We use the following:
This Extension Attribute is designed to return the number of days remaining until Active Directory password expiration.
So you would need to change # Current password change policy to suit your environment.
#!/bin/bash
# Logged in user
LoggedInUser=`ls -l /dev/console | awk '{ print $3 }'`
# Current password change policy
PasswdPolicy=90
# Last password set date
LastPasswordSet=`dscl /Active Directory/CORP/All Domains/ read /Users//$LoggedInUser SMBPasswordLastSet | awk '{print $2}'`
# Calculations
LastPasswordCalc1=`expr $LastPasswordSet / 10000000 - 1644473600`
LastPasswordCalc2=`expr $LastPasswordCalc1 - 10000000000`
TimeStampToday=`date +%s`
TimeSinceChange=`expr $TimeStampToday - $LastPasswordCalc2`
DaysSinceChange=`expr $TimeSinceChange / 86400`
DaysRemaining=`expr $PasswdPolicy - $DaysSinceChange`
echo "<result>$DaysRemaining</result>"
exit 0
Taken from: https://www.jamf.com/jamf-nation/discussions/10347/creating-an-ad-password-expiration-date-extension-attribute
