Q&A Monday: Domain Password Last Changed

Question:

I am in a situation on where I need to find out when the last time a user changed their network password.  Our domain policy forces the change in account passwords every 120 days, and a user is claiming that it’s been longer than that, I checked the GPO and everything looks OK, but is there a way to actually check the last time someone changed their password?

Answer:

I’ve run into this situation before, where a user is unsure when the password was changed and believed it was way passed due.  I did some searching around the internet and found a couple of scripts that would do this for you.  After testing out a bunch of scripts, I found one that would do what I wanted and was actually easy to you.  This script came from http://www.rlmueller.net.  It was very simple to run, and gave me password last set dates for every user in my domain.  Here’s how I did it.

  1. I downloaded the program from the website – direct download link here
  2. I renamed the PwdLastChanged.txt to PwdLastChanged.vbs (renaming this file to a VB Script so we can run it)
  3. Open up a command prompt and browse to where you downloaded the script (for me it was my C: drive)
  4. run the following command: cscript //nologo PwdLastChanged.vbs “c:\Report.txt”
    NOTE: the C:\Report.txt can be changed to whatever you want
  5. You browse to the location of C:\Report.txt (or wherever you pointed it) and you have two options
    1. You can just open the Report.txt file and look at the information
    2. I renamed the Report.txt file to Report.csv and opened with Excel and made the information  more readable.

Now this script is not only handy for finding out when a user is due for a password change.  I’ve also been able to use this script to find out accounts that are not in use anymore.  Because if a password falls outside of the set password expiration time, you can assume that the account hasn’t been used in that time frame.  For example, your password changes are forced every 4 months, and you see accounts with 8+ months since the password has been changed, it may be an old inactive account.  Now this wont work for everyone, but it is a good place to start.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insightes.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.