Thread-topic: Query AD for User Account Expiration Date?
User-agent: Microsoft-Entourage/12.10.0.080409
On 5/28/08 10:01 AM, "Stranathan, Dan" <email@hidden> wrote:
> Is it possible to query Active Directory and see when a users AD
> password expires from Mac OS X 10.5? Seems like dscl,
> dsmemberutil,dsconfigad or dscacheutil would be able to get this info
> from the DC somehow.
It's quite possible, but it requires some wrangling because AD doesn't
actually store a password's age as a property. It does, however, keep values
for when the password was last set and the maximum age for passwords. The
basic process is to get the date a user's password was set, subtract it from
today's date, and then to subtract the result from the maximum age for
passwords.
The following command should get the expiration age of an AD password, in
days:
maxPwdAge=$(ldapsearch -LLL -Q -s base -h x.x.x.x -b dc=domain,dc=org
maxPwdAge | awk -F- '/maxPwdAge/ {print $2/10000000}')
Replace x.x.x.x with the IP of your AD's DNS and replace the search base
with your info.
The next command will retrieve the date that the password was last set,
converted from NT time to UNIX time:
pwdLastSet=$(dscl "/Active Directory/All Domains" -read /Users/user | awk
'/pwdLastSet:/ {print $2/10000000-11676009600}')
The next command will get today's date in the format we need:
today=$(date "+%s")
The formula to get the days until a password expires is:
($maxPwdAge - ($today - pwdLastSet))/3600/24
I personally use AppleScript to handle this entire thing and to pop up a
dialog if the expiration date is looming. I'd be happy to share it.
--
Peter M. Bukowinski
IT - Senior Support Engineer
Janelia Farm Research Campus
Howard Hughes Medical Institute
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
