Web lists-archives.com

Re: [Samba] How to get password expiration?

On Fri, 3 Feb 2017 07:44:39 -0700
Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> This seems to work for maxPwdAge
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> dc=ad,dc=mydomain,dc=tld maxPwdAge
> now I just need to query a users pwdLastSetq
> I tried the commands above but am not getting anything. I tried
> looking at the ungrepped output but I don't see how to link the
> pwdLastSet with any user. I get a long list.
> I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> command bellow but I don't see anything that looks like users.
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
> "^dn:"|less gives me as follows
> dn: DC=ad,DC=mydomain,DC=tld
> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129912036833708410
> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131292041205350825
> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131300093694348218
> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129908837104473721
> dn: CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=AppCategories,CN=Default Domain
> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> ...

AS I said, you can use rpcclient to do this:

RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')

If I feed my name into this, I get:

Thu, 14 Sep 30828 03:48:05 BST

Which is understandable, because my password is set to never expire.
So, unless microsoft doesn't know what they are talking about, the
world will end in 30828 LOL


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba