PwdLastSet attribute stores information about the last password change. In the active directory, you can check the last password change in Active Directory for the user account using the attribute called PwdLastSet.
The Get-AdUser PwdLastSet attribute stores the DateTime when the user password last time changed. If the value of Get-AdUser PwdLastSet is 0, the user has never logged on to the system. PwdLastSet attribute stores the user password last changed DateTime value in large integer format and is not human readable.
In this article, I will explain how to use the Get-AdUser PwdLastSet attribute to get a list of users who have never logged on or get a list of aduser last passwords to change DateTime using PowerShell.
Get-AdUser PwdLastSet to get user password DateTime
If you want to get active directory user last set password date timestamp, run the below command
Get-ADUser -Identity Toms -properties PwdLastSet,PasswordLastSet | sort Name | ft Name,PwdLastSet,PasswordLastSet
In the above PowerShell script, the Get-AdUser cmdlet gets active directory user object specified by samaccountname and selects properties PwdLastSet and PasswordLastSet of user object and pass output to the second command.
The second command selects Name and print it Name, PwdLastSet, and PasswordLastSet on the console as below
Name PwdLastSet PasswordLastSet
---- ---------- ---------------
Tom Smith 132721241372821181 7/30/2021 1:08:57 PMAs seen in the above output, the Get-AdUser PwdLastSet date format is a large integer. PasswordLastSet attribute contains the calculated value of the PwdLastSet attribute in date-time format.
We can use the expression for get-aduser pwdlastset convert to date format as below
@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}}Final PowerShell script to convert pwdlastset attribute value from number format to DateTime format as below
Get-ADUser -Identity Toms -properties PwdLastSet,PasswordLastSet | sort Name | ft Name,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}},PasswordLastSet
The output of the above command after pwdlastset converts to date timestamp format as below
Name PwdLastSet PasswordLastSet
---- ---------- ---------------
Tom Smith 7/30/2021 1:08:57 PM 7/30/2021 1:08:57 PMIn the above output, it gets aduser last password change date using the PasswordLastSet property.
Tip: Use the Get-ADUser PasswordLastSet attribute if you want to query ad users for password last changed DateTime because of its DateTime format.
Cool Tip: How to find adusers password expiration date in PowerShell!
Convert pwdlastset to date using PowerShell
The pwdlastset attribute of the active directory user stores the last password change. This timestamp is the number of 100-nanosecond intervals since Jan 1, 1601, UTC.
pwdlastset attribute stores timestamps in System.Int64 data type format.
To convert pwdlastset to DateTime using PowerShell, use the below steps
- Use the DateTime class and call its FromFileTime method using the scope resolution operator ::
- FromFileTime method takes the active directory user pwdlastset attribute as an input parameter.
- Expression evaluates the
[DateTime]::FromFileTime($_.PwdLastSet)into a human-readable format and converts pwdlastset to date in PowerShell.
The pwdlastset convert to date example is given below:
Get-ADUser -Identity Toms -properties PwdLastSet,PasswordLastSet | sort Name | ft Name,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}},PasswordLastSet
The output of the above in PowerShell converts pwdlastset to DateTime in human-readable format for pwdlastset value of 132975302840000000 is :
Name PwdLastSet PasswordLastSet
---- ---------- ---------------
Tom Smith 5/20/2022 2:24:44 PM 5/22/2022 2:24:44 PMCool Tip: How to get-aduser change password at next logon in PowerShell!
Get-AdUser PwdLastSet – Get Users from Specific OU
If you want to get list of adusers password last time changed in specific OU using the Get-AdUser PwdLastSet filter parameter as below
Get-ADUser -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name,PwdLastSet,PasswordLastSet | sort Name | ft Name,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}},PasswordLastSet
In the above PowerShell script, the Get-AdUser cmdlet get list of aduser from specific OU using the SearchBase parameter and passes the output to the second command.
The second command sort the users list by name and print Name, PwdLastSet, and PasswordLastSet properties on the console as below
Name PwdLastSet PasswordLastSet
---- ---------- ---------------
Chris Dore 8/1/2021 3:36:53 PM 8/1/2021 3:36:53 PM
Tom Smith 7/30/2021 1:08:57 PM 7/30/2021 1:08:57 PM
Dev 0In the above output,
The first two records display PwdLastSet in date format as we have used expression to convert large integers to DateTime format.
However, the last record for aduser Dev has PwdLastSet 0 value, which means that the user has never logged on, hence the PwdLastSet value is 0.
It also displays the aduser’s last password change date.
Conclusion
I hope the above article about the Get-AdUser PwdLastSet attribute helps you to understand when the last DateTime user password was changed.
PwdLastSet attribute contains System.Int64 integer value and needs to convert into DateTime for human-readable format. Read more to export ad user to CSV file in PowerShell.
PasswordLastSet attribute displays the active directory user’s last password change date.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.