Web lists-archives.com

Re: [Samba] List of Expired Accounts?

Scratch that. Spent a little more time on this, and got my NT4 pdbedit
script for expired accounts working! I'm still working on a script for
email alerts to users about expiring account. If anyone is interested, here
is my script. I need this for compliance reasons, since we need to disable
expired account and have a documented process for re-enabling.

It outputs an email like this:

*Searching for expired accounts...*
*username / password last set / disabled*

*username1 / Tue, 26 Jun 2018 13:26:02 UTC*
*username2 / Mon, 14 May 2018 14:32:44 UTC / DISABLED*
*username3 / Tue, 13 Feb 2018 19:50:30 UTC / DISABLED*
*username4 / Thu, 31 May 2018 13:30:09 UTC*

I run this as a cron job, so I put things in a shell script & perl script.
In the shell script, make sure to properly set the location of your pdbedit
tool, perl script and to/from email addresses. System must be configured so
the "mail" command works...otherwise you might need some configuration

*pdb-expired-ad.sh *
/usr/local/samba/bin/pdbedit -Lv | /usr/bin/perl pdb-expired-ad.pl |
/bin/mail -r xxx@xxxxxxx -s "Expired Accounts" xxx@xxxxxxx

*pdb-expired-ad.pl <http://pdb-expired-ad.pl>*

use Date::Parse;
$now = time();
$now = $now - (7776000); #current time minus 90 days in seconds, which is
our max password age

print "Searching for expired accounts...\n";
print "username / password last set / disabled\n\n";

while (<>)
    if (/Unix username:\s*(.*)/) #get username
        $username = $1;
        $disabled = 0;
        $machine = 0;
        $service = 0;
    if (/Account Flags:\s*\[.*W.*\s*\](.*)/) #ignore if computer account
        $machine = 1;
    if (/Account Flags:\s*\[.*X.*\s*\](.*)/) #ignore if set for no password
        $service = 1;
    if (/Account Flags:\s*\[.*D.*\s*\](.*)/) #set variable if account is
        $disabled = 1;
    if (/Password last set:\s*(.*)/) #get password last set date and
convert it. output username if set more than xx days (set at top). if
disabled, output DISABLED
        $expiry = $1;
        $change = str2time($expiry);
        if ( ( ($service != 1 && ($machine != 1)) && $expiry !~ /^never/)
&& $change <= $now)
                print "$username / $expiry";
                if($disabled == 1)
                        print " / DISABLED\n";
                        print "\n";

On Mon, Sep 24, 2018 at 9:22 AM Bill Baird <Bill.Baird@xxxxxxxxxxxxx> wrote:

> Hi All,
> Is there a built-in command to get a list of all expired accounts, or
> output a list of all users and expiration date? All the scripts I find seem
> to be PowerShell scripts that relay on some "Web Service" that I don't have
> or do one user at at time.
> Or if anyone has a script they are willing to share, that would be greatly
> appreciated. I'm primarily looking for a way to see all expired accounts,
> and then if possible get a script setup to email users as accounts are
> expiring (my scripts from my Samba NT4 days sadly no longer work).
> I'm on Samba 4.8.5 running as an AD DC.
> Thanks!

*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
*To create an IT ticket, please email itsupport@xxxxxxxxxxxxx
<itsupport@xxxxxxxxxxxxx> or call 845-943-4222.*

This electronic message, including its attachments (if any), is 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba