This seems to work for maxPwdAge ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld maxPwdAge now I just need to query a users pwdLastSetq I tried the commands above but am not getting anything. I tried looking at the ungrepped output but I don't see how to link the pwdLastSet with any user. I get a long list. I think I'm looking for dn: and a matching pwdLastSet? So I tried the command bellow but I don't see anything that looks like users. ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e "^dn:"|less gives me as follows dn: DC=ad,DC=mydomain,DC=tld dn: CN=Computers,DC=ad,DC=mydomain,DC=tld dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld pwdLastSet: 129912036833708410 dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld pwdLastSet: 131292041205350825 dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld pwdLastSet: 131300093694348218 dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld pwdLastSet: 129908837104473721 dn: CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=Users,DC=ad,DC=mydomain,DC=tld dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld ...
Jeff, you can ask ldapsearch to filter for you rather than using grep. Just add "PwdLastSet" (no matter the case) after your ldapsearch : ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D '*@ad.mydomain.tld' -U myusername PwdLastSet This will retrieve only DN + asked attributes. Not all user have a password set so they should have a PwdLastSet. Anyway you don't care they are not real user touching keyboards and making mistakes. And you only want to display that information to real user making real mistakes : ) 2017-02-03 15:44 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org>:> This seems to work for maxPwdAge > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld > maxPwdAge > > now I just need to query a users pwdLastSetq > I tried the commands above but am not getting anything. I tried looking at > the ungrepped output but I don't see how to link the pwdLastSet with any > user. I get a long list. > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > command bellow but I don't see anything that looks like users. > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e "^dn:"|less > gives me as follows > > dn: DC=ad,DC=mydomain,DC=tld > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 129912036833708410 > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 131292041205350825 > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 131300093694348218 > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 129908837104473721 > dn: CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=AppCategories,CN=Default Domain > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > ... > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Fri, 3 Feb 2017 07:44:39 -0700 Jeff Sadowski via samba <samba at lists.samba.org> wrote:> This seems to work for maxPwdAge > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > dc=ad,dc=mydomain,dc=tld maxPwdAge > > now I just need to query a users pwdLastSetq > I tried the commands above but am not getting anything. I tried > looking at the ungrepped output but I don't see how to link the > pwdLastSet with any user. I get a long list. > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > command bellow but I don't see anything that looks like users. > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e > "^dn:"|less gives me as follows > > dn: DC=ad,DC=mydomain,DC=tld > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 129912036833708410 > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 131292041205350825 > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 131300093694348218 > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > pwdLastSet: 129908837104473721 > dn: CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=AppCategories,CN=Default Domain > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > ...AS I said, you can use rpcclient to do this: RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') If I feed my name into this, I get: Thu, 14 Sep 30828 03:48:05 BST Which is understandable, because my password is set to never expire. So, unless microsoft doesn't know what they are talking about, the world will end in 30828 LOL Rowland
Almost there Is there a way to query by username? On Fri, Feb 3, 2017 at 8:38 AM, mathias dufresne <infractory at gmail.com> wrote:> Jeff, > > you can ask ldapsearch to filter for you rather than using grep. > > Just add "PwdLastSet" (no matter the case) after your ldapsearch : > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > '*@ad.mydomain.tld' -U myusername PwdLastSet > > This will retrieve only DN + asked attributes. > > Not all user have a password set so they should have a PwdLastSet. Anyway > you don't care they are not real user touching keyboards and making > mistakes. And you only want to display that information to real user making > real mistakes : ) > > 2017-02-03 15:44 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org> > : > >> This seems to work for maxPwdAge >> >> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld >> maxPwdAge >> >> now I just need to query a users pwdLastSetq >> I tried the commands above but am not getting anything. I tried looking at >> the ungrepped output but I don't see how to link the pwdLastSet with any >> user. I get a long list. >> I think I'm looking for dn: and a matching pwdLastSet? So I tried the >> command bellow but I don't see anything that looks like users. >> >> >> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D >> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e "^dn:"|less >> gives me as follows >> >> dn: DC=ad,DC=mydomain,DC=tld >> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld >> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >> pwdLastSet: 129912036833708410 >> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >> pwdLastSet: 131292041205350825 >> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >> pwdLastSet: 131300093694348218 >> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >> pwdLastSet: 129908837104473721 >> dn: CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=Users,DC=ad,DC=mydomain,DC=tld >> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld >> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld >> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld >> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld >> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld >> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld >> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld >> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=AppCategories,CN=Default Domain >> Policy,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld >> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld >> ... >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
I'll give rpcclient a try On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but I don't see how to link the > > pwdLastSet with any user. I get a long list. > > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > > command bellow but I don't see anything that looks like users. > > > > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e > > "^dn:"|less gives me as follows > > > > dn: DC=ad,DC=mydomain,DC=tld > > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129912036833708410 > > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131292041205350825 > > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131300093694348218 > > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129908837104473721 > > dn: CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=AppCategories,CN=Default Domain > > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > > ... > > AS I said, you can use rpcclient to do this: > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) > USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) > QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) > EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d > ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') > > If I feed my name into this, I get: > > Thu, 14 Sep 30828 03:48:05 BST > > Which is understandable, because my password is set to never expire. > So, unless microsoft doesn't know what they are talking about, the > world will end in 30828 LOL > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Winner this worked wonderfully On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but I don't see how to link the > > pwdLastSet with any user. I get a long list. > > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > > command bellow but I don't see anything that looks like users. > > > > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e > > "^dn:"|less gives me as follows > > > > dn: DC=ad,DC=mydomain,DC=tld > > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129912036833708410 > > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131292041205350825 > > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131300093694348218 > > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129908837104473721 > > dn: CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=AppCategories,CN=Default Domain > > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > > ... > > AS I said, you can use rpcclient to do this: > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) > USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) > QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) > EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d > ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') > > If I feed my name into this, I get: > > Thu, 14 Sep 30828 03:48:05 BST > > Which is understandable, because my password is set to never expire. > So, unless microsoft doesn't know what they are talking about, the > world will end in 30828 LOL > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Fri, 2017-02-03 at 07:44 -0700, Jeff Sadowski via samba wrote:> This seems to work for maxPwdAge > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > dc=ad,dc=mydomain,dc=tld > maxPwdAge > > now I just need to query a users pwdLastSetqDon't bother. Let Samba do it for you, just query this operational attribute: msDS-UserPasswordExpiryTimeComputed on the user. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Actually is there a way to show it more like a timestamp. It is hard to compute days left with a date format like that. I guess I could use date to do the conversion but I was wondering if there is a cleaner way On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but I don't see how to link the > > pwdLastSet with any user. I get a long list. > > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > > command bellow but I don't see anything that looks like users. > > > > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e > > "^dn:"|less gives me as follows > > > > dn: DC=ad,DC=mydomain,DC=tld > > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129912036833708410 > > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131292041205350825 > > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131300093694348218 > > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129908837104473721 > > dn: CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=AppCategories,CN=Default Domain > > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > > ... > > AS I said, you can use rpcclient to do this: > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) > USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) > QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) > EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d > ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') > > If I feed my name into this, I get: > > Thu, 14 Sep 30828 03:48:05 BST > > Which is understandable, because my password is set to never expire. > So, unless microsoft doesn't know what they are talking about, the > world will end in 30828 LOL > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >