Using various tools, you can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”.
You can check the value of “PwdLastSet” using either ADSIEdit tool or DSQuery. ADSIEdit tool shows the value in human readable format. DSQuery returns the attribute value in decimal format but it is easier to query PwdLastSet value for all users using DSQuery command.
There are two commands you need to run if you are using the DSQuery method; “DSQuery” and “W32tm.exe with /ntte” switch.
W32tm.exe with /mute switch is used to convert decimal to human readable timestamp format. For example, to get the PwdLastSet for a user account, run the following command:
- DSQuery * “CN=TestUser,CN=Users,DC=<YourDomainName>, DC=<Com>” –Attr PwdLastSet
After running above command, the output is returned in decimal format as shown below:
PwdLastSet: 130187706386006320
Next, run the W32tm.exe /ntte <decimal value> command to get the timestamp in human readable format as stated below:
- w32tm.exe /ntte 130187706386006320
150680 05:10:38.6006320 – 7/19/2013 10:10:38 PM
About Nirmal Sharma
Nirmal is a MCSEx3, MCITP and was awarded Microsoft MVP award in Directory Services. He is specialized in Directory Services, Microsoft Clustering, Hyper-V, SQL and Exchange and has been involved in Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles. Nirmal can be reached at ni[email protected]
