In this guide, I’ll show you two options on how to get the last password change date for Active Directory users. This information is saved to the pwdLastSet attribute for each AD user account.
In this article:
- Option 1. Get Last Password Change Date with PowerShell
- Option 2. Get Last Password Change Date with AD Pro Toolkit
- How to check last password change in Active Directory
- Get-ADUser PwdLastSet Details
- Get Password Last Set Date for Users from Specific Organizational Unit (OU)
Let’s dive right in.
Option 1. Get Last Password Change Date with PowerShell
In this example, I’ll show you how check the last password change date using PowerShell.
Step 1. Open PowerShell
Step 2. Copy and run the below command.
Change -identity to the username of the account you want to check.
Get-ADUser -identity robert.allen -properties PwdLastSet | sort Name | ft Name,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}}
Option 2. Easily Get Last Password Change Date with the AD Pro Toolkit
In this example, I’ll use the AD Pro Toolkit to get the password last set date for all user accounts.
The toolkit includes an Active Directory Reporting Tool that makes it easy to run password reports for all users or specific user accounts.
Step 1. Click on “Password Reports” then click on the “Password Recently Changed” report.
Step 2. Enter a time frame and click “Run”. It defaults to showing users who changed their password in the last 30 days.
Optionally, you can click “Browse” to select an OU or group, by default it will run for all users.
Automated Password Last Set Date Email Report
The AD Pro Toolkit includes a built in schedular so you can automate running a report on when users last changed their password. Click on Scheduler and then click the Add button to create a schedule. This report can be emailed daily, weekly or monthly.
How to Check Last Password Change in Active Directory
To check when a user last changed their password in Active Directory follow these steps.
- Open Active Directory users and Computers
- Open the account properties
- Select the Attribute Editor tab
- Scoll down to the pwdLastSet attribute
Get-ADUser PwdLastSet Details
The PwdLastSet attribute is stored as an Interger8 data type, meaning it’s not in a readable format.
The PowerShell expression below is used to convert the PwdLastSet value to a readable value.
@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}}Here is a screenshot of the value of the PwdLastSet attribute before converting it.
Here is a screenshot after adding the expression to the PowerShell command.
The AD Pro Toolkit converts the pwdLastSet by default making it fast and easy to use.
Click here to download a free trial.
Get Password Last Set Date for Users From Specific Organizational Unit (OU)
Use the -SearchBase option to specify an OU. The below example gets the password last set for all users in my Accounting OU.
Get-ADUser -SearchBase "OU=Accounting,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -properties PwdLastSet | sort Name | ft Name,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}}With the AD Pro Toolkit just click browse and select one or multiple OUs.
You Might Also Like:
if u want to find for one user u can use the net user username /domain command. Nice article robert!
How do I get specific users if im searching the entire AD?
Use “get-ADUser -identity username” to get the password details for a specific user.
Instead of the export-csv, you can just pipe the output, to a text file, by using “>”path and filename””
ex:
Get-ADUser -filter * -properties PwdLastSet | sort Name | ft name,@{Name=’PwdLastSet’;Expression={[DateTime]::FromFileTime($_.PwdLastSet)}} >c:\temp\lastpwchg.cfg
Thanks for the example Jesper.