Q&A Monday: Domain Password Last Changed
I am in a situation on where I need to find out when the last time a user changed their network password. Our domain policy forces the change in account passwords every 120 days, and a user is claiming that it’s been longer than that, I checked the GPO and everything looks OK, but is there a way to actually check the last time someone changed their password?
I’ve run into this situation before, where a user is unsure when the password was changed and believed it was way passed due. I did some searching around the internet and found a couple of scripts that would do this for you. After testing out a bunch of scripts, I found one that would do what I wanted and was actually easy to you. This script came from http://www.rlmueller.net. It was very simple to run, and gave me password last set dates for every user in my domain. Here’s how I did it.
- I downloaded the program from the website – direct download link here
- I renamed the PwdLastChanged.txt to PwdLastChanged.vbs (renaming this file to a VB Script so we can run it)
- Open up a command prompt and browse to where you downloaded the script (for me it was my C: drive)
- run the following command: cscript //nologo PwdLastChanged.vbs “c:\Report.txt”
NOTE: the C:\Report.txt can be changed to whatever you want
- You browse to the location of C:\Report.txt (or wherever you pointed it) and you have two options
- You can just open the Report.txt file and look at the information
- I renamed the Report.txt file to Report.csv and opened with Excel and made the information more readable.
Now this script is not only handy for finding out when a user is due for a password change. I’ve also been able to use this script to find out accounts that are not in use anymore. Because if a password falls outside of the set password expiration time, you can assume that the account hasn’t been used in that time frame. For example, your password changes are forced every 4 months, and you see accounts with 8+ months since the password has been changed, it may be an old inactive account. Now this wont work for everyone, but it is a good place to start.
If you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at firstname.lastname@example.org, and he’ll try to answer your question. Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insightes.