When did users last change their password in Active Directory?

Home Blog When did users last change their password in Active Directory?

4sysops - The online community for SysAdmins and DevOps

    , ,   0
Changing passwords regularly is no longer recommended, and the Security Baseline for Windows doesn't include a corresponding setting. Nevertheless, in certain situations, it can be important to know how old the user's passwords are. You can easily find this out with PowerShell.
Contents
  1. Date contained in the PwdLastSet attribute
  2. NoteProperty with DateTime-Object
Latest posts by Wolfgang Sommergut (see all)

Even if organizations do not force their employees to change their passwords periodically, it may sometimes be necessary to require new passwords. This is especially true if there are signs of a successful attack in which intruders might have hacked user accounts.

In this case, you will perform a company-wide reset for all passwords by setting the ChangePasswordAtLogon attribute. However, this measure will not affect users who do not log on for a longer period of time, e.g., due to vacation or sick leave.

Date contained in the PwdLastSet attribute

To determine which accounts still have not changed their password after a certain period of time, you can run a query. Active Directory stores the date of the last password change in the PwdLastSet attribute.

For individual accounts, this data can be viewed in Active Directory Users and Computers under an account's properties in the Attribute Editor tab.

Show the pwdlastSet attribute in AD Users and Computers

Show the pwdlastSet attribute in AD Users and Computers

However, this GUI tool is not suitable for examining many accounts. Instead, PowerShell is a better option here. If you intend to read the value of PwdLastSet directly, you will get a long integer for the date, which you would have to convert into a readable format.

NoteProperty with DateTime-Object

Instead, the Get-AdUser cmdlet returns a datetime object directly via the NoteProperty PasswordLastSet. This is not only readable as a date but can also be processed in time-related operations.

To display the date of the last password change for all users in a specific OU, enter a command like this:

Get-ADUser -SearchBase "OU=Sales,DC=contoso,DC=com" `
-Filter * -properties PasswordLastSet | Select Name, PasswordLastSet

In our example, however, we want to know who has not changed their password after a certain date. This query looks like this:

Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -gt '10/01/2022'" |
Select name, PasswordLastSet

This command lists all accounts that have not changed their password since October 1, 2022.

Displays the accounts that have not changed their password after a certain date

Displays the accounts that have not changed their password after a certain date

Displays the accounts that have not changed their password after a certain date.

Subscribe to 4sysops newsletter!

If you want to lock the accounts in question until the users are ready to change their passwords, you could do this with Disable-ADAccount.

avataravatar
Related Articles
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account