- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
Even if organizations do not force their employees to change their passwords periodically, it may sometimes be necessary to require new passwords. This is especially true if there are signs of a successful attack in which intruders might have hacked user accounts.
In this case, you will perform a company-wide reset for all passwords by setting the ChangePasswordAtLogon attribute. However, this measure will not affect users who do not log on for a longer period of time, e.g., due to vacation or sick leave.
Date contained in the PwdLastSet attribute
To determine which accounts still have not changed their password after a certain period of time, you can run a query. Active Directory stores the date of the last password change in the PwdLastSet attribute.
For individual accounts, this data can be viewed in Active Directory Users and Computers under an account's properties in the Attribute Editor tab.
However, this GUI tool is not suitable for examining many accounts. Instead, PowerShell is a better option here. If you intend to read the value of PwdLastSet directly, you will get a long integer for the date, which you would have to convert into a readable format.
NoteProperty with DateTime-Object
Instead, the Get-AdUser cmdlet returns a datetime object directly via the NoteProperty PasswordLastSet. This is not only readable as a date but can also be processed in time-related operations.
To display the date of the last password change for all users in a specific OU, enter a command like this:
Get-ADUser -SearchBase "OU=Sales,DC=contoso,DC=com" ` -Filter * -properties PasswordLastSet | Select Name, PasswordLastSet
In our example, however, we want to know who has not changed their password after a certain date. This query looks like this:
Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -gt '10/01/2022'" | Select name, PasswordLastSet
This command lists all accounts that have not changed their password since October 1, 2022.
Displays the accounts that have not changed their password after a certain date.
Subscribe to 4sysops newsletter!
If you want to lock the accounts in question until the users are ready to change their passwords, you could do this with Disable-ADAccount.