Web lists-archives.com

Re: [Samba] How to get password expiration?




On Fri, 3 Feb 2017 07:44:39 -0700
Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> This seems to work for maxPwdAge
> 
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> dc=ad,dc=mydomain,dc=tld maxPwdAge
> 
> now I just need to query a users pwdLastSetq
> I tried the commands above but am not getting anything. I tried
> looking at the ungrepped output but I don't see how to link the
> pwdLastSet with any user. I get a long list.
> I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> command bellow but I don't see anything that looks like users.
> 
> 
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
> "^dn:"|less gives me as follows
> 
> dn: DC=ad,DC=mydomain,DC=tld
> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129912036833708410
> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131292041205350825
> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131300093694348218
> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129908837104473721
> dn: CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=AppCategories,CN=Default Domain
> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> ...

AS I said, you can use rpcclient to do this:

RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')

If I feed my name into this, I get:

Thu, 14 Sep 30828 03:48:05 BST

Which is understandable, because my password is set to never expire.
So, unless microsoft doesn't know what they are talking about, the
world will end in 30828 LOL

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba