PowerShell: Check When User Last Set Active Directory Password

If a user can’t access an application that authenticates with Microsoft Active Directory, it’s helpful to check to see when the user last set their password since the application may be using cached credentials. Here’s how to use PowerShell to get the passwordlastset value.

  1. Select the “Start” button, then type “powershell“.
  2. Right-click on “Windows PowerShell“, then select “Run as Administrator“.
  3. Provide credentials for a user that has access to Active Directory.
  4. Now you can use the following to find the when a user set the password last. 
  5. Replace “theusername” with the actual username of the user you wish to query:
get-aduser -identity theusername  -properties passwordlastset | ft Name, passwordlastset

You could also grab all users in a certain OU using this. 

get-aduser -Filter * -properties passwordlastset -SearchBase "OU=Staff,OU=Users,DC=domain,DC=com" | ft Name, passwordlastset

Or just get the enabled accounts:

get-aduser -Filter 'enabled -eq $true' -properties passwordlastset -SearchBase "OU=Staff,OU=Users,DC=domain,DC=com" | ft Name, passwordlastset, enabled

Export it to a CSV file:

get-aduser -Filter 'enabled -eq $true' -properties passwordlastset -SearchBase "OU=Staff,OU=Users,DC=domain,DC=com" | Select Name, passwordlastset, enabled | Export-csv -path c:\Temp\PassLastSet.csv

Leave a comment

Your email address will not be published. Required fields are marked *