Passwords need to be changed regularly. This is one of the most basic password security best practices as it protects user accounts from hackers, scammers, and other security threats. Therefore, a strict password change policy is required in every organization.
Tracking password change dates is essential for security compliance, identifying stale accounts, and detecting potential unauthorized access. Being able to see the last password change date for a user is helpful when troubleshooting an account lockout or investigating a data breach.
If you have enough PowerShell knowledge and experience, you can see the password’s last set date by creating and running a script using the Get-ADUser cmdlet. However, using this native method means you need to have knowledge of PowerShell scripting. A solution to this is to use Lepide Active Directory Auditor and run the Password Older than n Days Report.
These two ways to find the last password change date are described as follows::
- Using the Native Method (PowerShell Script)
- Using the Lepide Active Directory Auditor
What is the PasswordLastSet Attribute?
The pwdLastSet attribute in Active Directory stores the date and time a user’s password was last changed. This value is stored as an Integer8 (large integer) data type. PowerShell’s PasswordLastSet property automatically converts this integer value to a readable datetime format, making it easy to interpret.
PowerShell to Find Last Password Change Date in Active Directory
Prerequisites
Before running the PowerShell commands, ensure you have:
- Active Directory PowerShell module installed
- Appropriate permissions to query user accounts
- PowerShell running on a domain-joined machine
Step 1: Open PowerShell as Administrator
Right-click on PowerShell and select “Run as administrator.” If needed, import the Active Directory module:
Import-Module ActiveDirectoryStep 2: Run the Get-ADUser Command
Run the following script, using the –identity parameter to specify the user account that you want to know the password last set date for:
Get-ADUser -identity Gemma -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, PasswordneverexpireStep 3: Interpret the Results
Review the results:
Script Variations
Check all users in the domain
Get-ADUser -Filter * -Properties PasswordLastSet | Select-Object Name, PasswordLastSetCheck users in a specific OU
Get-ADUser -Filter * -SearchBase "OU=Sales,DC=domain,DC=com" -Properties PasswordLastSet | Select-Object Name, PasswordLastSetFind the Last Password Change Date Using the Lepide Active Directory Auditor
This native way to find the last password changed for an AD User Account is complex and requires knowledge of how to write a PowerShell script. A more straightforward solution to this is to use Lepide Active Directory Auditor.
Lepide Active Directory Auditor overcomes the complexity of the native method by providing a straightforward way to list all passwords older than a specified number of days by using the Password Older than n Days Report:
- Click the Permissions & Privileges icon and select Password Older than n Days
- Specify a domain name
- Click Generate Report
- The report shows the date the password was last changed
- The report can be filtered, sorted, saved, and exported
Conclusion
As you can see, Lepide Active Directory Auditor provides a far simpler method of finding the data a password was last changed for an AD User Account.
Frequently Asked Questions
$Date = (Get-Date).AddDays(-90) Get-ADUser -Filter {PasswordLastSet -lt $Date} -Properties PasswordLastSet | Select-Object Name, PasswordLastSet
pwdLastSet is the raw Active Directory attribute stored as an Integer8 value. PasswordLastSet is the PowerShell-friendly property that automatically converts this value to a readable datetime format.