Scratch that. Spent a little more time on this, and got my NT4 pdbedit
script for expired accounts working! I'm still working on a script for
email alerts to users about expiring account. If anyone is interested, here
is my script. I need this for compliance reasons, since we need to disable
expired account and have a documented process for re-enabling.
It outputs an email like this:
*Searching for expired accounts...*
*username / password last set / disabled*
*username1 / Tue, 26 Jun 2018 13:26:02 UTC*
*username2 / Mon, 14 May 2018 14:32:44 UTC / DISABLED*
*username3 / Tue, 13 Feb 2018 19:50:30 UTC / DISABLED*
*username4 / Thu, 31 May 2018 13:30:09 UTC*
I run this as a cron job, so I put things in a shell script & perl script.
In the shell script, make sure to properly set the location of your pdbedit
tool, perl script and to/from email addresses. System must be configured so
the "mail" command works...otherwise you might need some configuration
there.
*pdb-expired-ad.sh *
#!/bin/sh
/usr/local/samba/bin/pdbedit -Lv | /usr/bin/perl pdb-expired-ad.pl |
/bin/mail -r xxx at xxx.com -s "Expired Accounts" xxx at xxx.com
*pdb-expired-ad.pl <http://pdb-expired-ad.pl>*
#!/usr/bin/perl
use Date::Parse;
$now = time();
$now = $now - (7776000); #current time minus 90 days in seconds, which is
our max password age
print "Searching for expired accounts...\n";
print "username / password last set / disabled\n\n";
while (<>)
{
if (/Unix username:\s*(.*)/) #get username
{
$username = $1;
$disabled = 0;
$machine = 0;
$service = 0;
}
if (/Account Flags:\s*\[.*W.*\s*\](.*)/) #ignore if computer account
{
$machine = 1;
}
if (/Account Flags:\s*\[.*X.*\s*\](.*)/) #ignore if set for no password
expiration
{
$service = 1;
}
if (/Account Flags:\s*\[.*D.*\s*\](.*)/) #set variable if account is
disabled
{
$disabled = 1;
}
if (/Password last set:\s*(.*)/) #get password last set date and
convert it. output username if set more than xx days (set at top). if
disabled, output DISABLED
{
$expiry = $1;
$change = str2time($expiry);
if ( ( ($service != 1 && ($machine != 1)) && $expiry !~
/^never/)
&& $change <= $now)
{
print "$username / $expiry";
if($disabled == 1)
{
print " / DISABLED\n";
}
else
{
print "\n";
}
}
}
}
On Mon, Sep 24, 2018 at 9:22 AM Bill Baird <Bill.Baird at phoenixmi.com>
wrote:
> Hi All,
>
> Is there a built-in command to get a list of all expired accounts, or
> output a list of all users and expiration date? All the scripts I find seem
> to be PowerShell scripts that relay on some "Web Service" that I
don't have
> or do one user at at time.
>
> Or if anyone has a script they are willing to share, that would be greatly
> appreciated. I'm primarily looking for a way to see all expired
accounts,
> and then if possible get a script setup to email users as accounts are
> expiring (my scripts from my Samba NT4 days sadly no longer work).
>
> I'm on Samba 4.8.5 running as an AD DC.
>
> Thanks!
>
--
*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
www.phoenixmi.com
*To create an IT ticket, please email itsupport at phoenixmi.com
<itsupport at phoenixmi.com> or call 845-943-4222.*
--
--
This electronic message, including its attachments (if any), is
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information.
If you are not the intended recipient, you are hereby notified that any
use, disclosure, copying, or distribution of this message, its attachments,
or any of the information included therein, is unauthorized and strictly
prohibited. If you have received this message in error, please immediately
notify the sender by reply e-mail and permanently delete this message and
its attachments, along with any copies thereof.