Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get user password expiration date from Active Directory?

folks!

There are an Active Directory (Windows) and a Linux samba client. At the Active Directory the policy had adjusted in a such way so users need to change his passwords periodically (passwords have an expiration time).

My question is pretty simple: can I get this expiration time for the given user if I work on the Linux machine with the Samba?

like image 883
Serge Roussak Avatar asked Jan 05 '16 10:01

Serge Roussak


People also ask

How do I find my Windows password expiry date?

Check password expiry from the command prompt Alternatively, you can open the command prompt by right-clicking on the Windows logo in the bottom left corner and then clicking "Run". Then type cmd . In the command prompt, type the command net user [loginname] /domain .

What happens when password expires in Active Directory?

How is Password Expiration Handled in Active Directory? In Active Directory, the account will not be locked if a user's password expires. Instead, the user will be prompted to change the password, and the new one must follow the password rules established by the organization based on its security policies.

How do I find expired AD accounts?

Navigate to Reports> User Reports > Account expired users.


2 Answers

This depends on the configuration of the domaincontroller. You can try:

net ads user info [email protected] -S DC_SERVER_NAME -U USERNAME

where [email protected] is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username.

You will be prompted for your domain password.

Now you get either information to your account, including expiry date of your password or you get

ads_pull_uint32 failed

in this case, your domain controller is not configured to provide account information to UNIX like systems.

You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information.

This answer might be frustrating. It is for me as I am in the same situation and researched the topic a lot.

My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. Not perfect, but workable.

[UPDATE] I found a way to determine the expiration date of your domain password with rpcclient, here is my script:

#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
# 
# To use this script you need at least: 
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script


USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01"     # Domaincontroller

### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
    RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)

    USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi

QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)

EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)

## Load rpc error Message
RPCERR=$(<./rpc_errFile)

## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"    
else
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi

### END RPCCLIENT query

I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. Feel free to extend, improve and republish this script, it is public domain.

[/UPDATE]

like image 90
mondjunge Avatar answered Nov 15 '22 08:11

mondjunge


On linux you can use pdbedit

pdbedit -L -v -u <username>

And look for the line: Password must change

like image 43
Cleber Reizen Avatar answered Nov 15 '22 07:11

Cleber Reizen