Web lists-archives.com

Re: [Samba] How to get password expiration?




Actually is there a way to show it more like a timestamp. It is hard to
compute days left with a date format like that. I guess I could use date to
do the conversion but I was wondering if there is a cleaner way

On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Fri, 3 Feb 2017 07:44:39 -0700
> Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > This seems to work for maxPwdAge
> >
> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> > dc=ad,dc=mydomain,dc=tld maxPwdAge
> >
> > now I just need to query a users pwdLastSetq
> > I tried the commands above but am not getting anything. I tried
> > looking at the ungrepped output but I don't see how to link the
> > pwdLastSet with any user. I get a long list.
> > I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> > command bellow but I don't see anything that looks like users.
> >
> >
> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
> > "^dn:"|less gives me as follows
> >
> > dn: DC=ad,DC=mydomain,DC=tld
> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129912036833708410
> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131292041205350825
> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131300093694348218
> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129908837104473721
> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AppCategories,CN=Default Domain
> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> > ...
>
> AS I said, you can use rpcclient to do this:
>
> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>
> If I feed my name into this, I get:
>
> Thu, 14 Sep 30828 03:48:05 BST
>
> Which is understandable, because my password is set to never expire.
> So, unless microsoft doesn't know what they are talking about, the
> world will end in 30828 LOL
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba