how to check last password change in active directory powershell

Everly

3 min read

·

13-01-2025

32

0

Share

Knowing when user passwords were last changed in Active Directory is crucial for security. This article shows you several PowerShell methods to check the last password change date for Active Directory users, both individually and in bulk. We'll cover different scenarios and techniques to help you find the information you need efficiently.

Method 1: Checking a Single User's Last Password Change

This is the simplest method, perfect for quickly checking a specific user's password change history.

Get-ADUser -Identity "username" -Properties pwdLastSet | Select-Object Name, pwdLastSet

Replace "username" with the actual username. The pwdLastSet property stores the last password change time. Note that this is stored as a large integer representing the number of 100-nanosecond intervals since January 1, 1601. To make it human-readable:

$user = Get-ADUser -Identity "username" -Properties pwdLastSet
([datetime]::FromFileTime($user.pwdLastSet)).ToLocalTime()

This converts the pwdLastSet value into a readable date and time in your local timezone.

Method 2: Checking Multiple Users' Last Password Changes

For checking multiple users, you'll want to use a more efficient method. This example uses a CSV file containing usernames:

1. Create a CSV file (e.g., users.csv) with a column named "username":

username
user1
user2
user3

2. Use the following PowerShell script:

Import-Csv -Path ".\users.csv" | ForEach-Object {
    $user = Get-ADUser -Identity $_.username -Properties pwdLastSet
    if ($user) {
        $lastPasswordChange = ([datetime]::FromFileTime($user.pwdLastSet)).ToLocalTime()
        Write-Host "Username: $($user.Name), Last Password Change: $lastPasswordChange"
    } else {
        Write-Host "User '$_.username' not found."
    }
}

This script reads the usernames from the CSV, retrieves the pwdLastSet property for each, converts it to a readable date and time, and displays the results. It also includes error handling for users not found in Active Directory.

Method 3: Finding Users Whose Passwords Haven't Been Changed Recently

This is a critical security task. Let's identify users who haven't changed their passwords within the last 90 days:

$cutoffDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter * -Properties pwdLastSet | Where-Object {$_.pwdLastSet -ne 0 -and ([datetime]::FromFileTime($_.pwdLastSet)).ToLocalTime() -lt $cutoffDate} | Select-Object Name, SamAccountName, pwdLastSet | ForEach-Object {
    $lastPasswordChange = ([datetime]::FromFileTime($_.pwdLastSet)).ToLocalTime()
    Write-Host "Username: $($_.Name), Last Password Change: $lastPasswordChange"
}

This script iterates through all users, filters out users with pwdLastSet equal to 0 (meaning the password was never changed or is not stored), compares the last password change date to the cutoff date (90 days ago), and outputs the names and last password change dates of users who haven't changed their passwords recently. Adjust the AddDays value to change the timeframe.

Method 4: Exporting Results to a CSV File

For better analysis and reporting, export the results to a CSV:

$cutoffDate = (Get-Date).AddDays(-90)
$users = Get-ADUser -Filter * -Properties pwdLastSet | Where-Object {$_.pwdLastSet -ne 0 -and ([datetime]::FromFileTime($_.pwdLastSet)).ToLocalTime() -lt $cutoffDate} | Select-Object Name, SamAccountName, @{Name="LastPasswordChange";Expression={[datetime]::FromFileTime($_.pwdLastSet).ToLocalTime()}}

$users | Export-Csv -Path ".\password_change_report.csv" -NoTypeInformation

This exports the username, SamAccountName, and the last password change date (in a readable format) to a CSV file named password_change_report.csv.

Important Considerations

• Permissions: Ensure you have the necessary Active Directory permissions to read user properties.
• Large Environments: For extremely large Active Directory environments, consider optimizing these scripts for performance using techniques like pagination or filtering by organizational unit (OU).
• Error Handling: Always include robust error handling in production scripts to gracefully manage potential issues like network connectivity problems or user account not found errors.
• Security: Be mindful of storing and handling user password information securely. Avoid directly exposing passwords in scripts or reports.

By using these PowerShell commands, you can effectively manage and monitor Active Directory user password changes, enhancing the security of your environment. Remember to adapt these scripts to your specific needs and environment. Always test your scripts thoroughly in a non-production environment before deploying them to a production environment.