Thursday, 1 May 2014

Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that they could pro-actively go through the laborious process of changing the password on multiple devices (a topic for another day)

Since it took me a bit of time to get it right, I thought I would share the search I used so that it might help someone else as well.

If you spot errors (which is quite easy when trying to work with Active Directory timestamps), let me know so we can fix it for everyone.

The search uses "ldapsearch" of course, which is yet again a topic for another day, and assumes that your password expiry is set to 30 days and you want to be warned 5 days before it expires.

It looks like this:

| ldapsearch domain=DOMAIN search="&(objectCategory=user)(|(sAMAccountName="user1")(sAMAccountName="user2"))"
| eval pwd=strptime(pwdLastSet,"%Y/%m/%d %T")
| eval pwdExpires=pwd+(30*86400)
| eval pwdAge=round((now()-pwd)/86400,0)
| convert timeformat="%Y/%m/%d %H:%M:%S" ctime(pwdExpires) as pwdExpires
| table cn,description,userAccountControl,sAMAccountName,pwdLastSet,pwdExpires,pwdAge
| sort pwdExpires
| where pwdAge > 25

2 comments:

  1. interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts,Thanks a million once again, Regards,servicenow training in hyderabad ,splunk training in hyderabad , cornish hen recipe

    ReplyDelete
  2. Good article, Actually I enjoyed a lot while reading this article. It’s useful. I found one more good resource related Splunk while doing searches on the internet which I am sharing with you just go through this link -: https://intellipaat.com/splunk-training/

    ReplyDelete

Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that th...