There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

PS C:\> [datetime]::fromfiletime((get-aduser testtest -Properties pwdlastset|select -exp pwdlastset))
C:\Users\administrator>net user /do testtest|find "Password last"
Password last set 2/14/2016 4:16:02 AM

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox - Password never expires
  • Checkbox - User must change password at next logon
  • Value - Maximum password age
  • Value - When was the password last set

So how is all this stored

  • Password never expires: does modify the 9th least significant bit (0x10000) of the attribute UserAccountControl.
  • When the password was last change is stored in the attribute pwdlastset as a filetime.
  • User Must change password at next logon: this one also stores if it checked as a 0 in pwdlastset.
  • Maximum password age: This one can be defined in two places:
    • A GPO - The value that is applied to the domain controllers is tha value in use, dont try to create password policed with multiple GPOs. The default GPO that has this information is the Default Domain Policy.
    • A Fine-Grained Password Policy - Here we can assign a policy to affect a single user or all members of a group with non default settings.
  • Fine-Grained Password Policies: Are stored in AD object under cn=Password Settings Container,cn=System.

The gotcha

Given that we know that the last time a password was changed is stored in pwdlastset. And if you check User Must change password at next logon, what happens if I uncheck it? Windows will set the current time as the time of the last password change.

This can be used for both good and bad, I have used it once. During a crisis and we could not allow people to change password, we had to allow people with expired passwords to logon. So I flagged them and removed the flag, they got another password period before they needed to change. Don’t use this technique instead of changing your admin password, this is probably against a few of your works policies.

Sources: