🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Find Last Password Change Date in Active Directory

Worried about outdated or unsafe passwords compromising your organization's security? Admins often need to check users' last password change date to ensure the users are properly aligning with organizational password policies. This guide will help admins track key password details, such as user’s last password change date and password policy settings, for effective user password management.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Get Last Password Change Date Using Active Directory Users & Computers

Active Directory Permission Required
Account Operators Least Privilege
Domain Administrators Most Privilege
  • Open Active Directory Users and Computers console.
  • Navigate to the respective Organizational Unit (OU).
  • Double click on the required user to open the account properties.
  • Select the Attribute Editor tab.

    Note: This tab will be available only when Advanced Features is enabled under View option.

  • Scroll down and find the ‘pwdLastSet’ attribute to see when the user's password was last updated in Active Directory.
Get Last Password Change Date Using Active Directory Users & Computers

Check Last Password Change Date Using Windows PowerShell

Active Directory Permission Required
Account Operators Least Privilege
Domain Administrators Most Privilege
  • Ensure the Active Directory PowerShell module is already installed in your environment.
  • Run the below cmdlet to get the last password change date for a specific user.

    Note: Replace the <UserName> with the targeted username before running the below cmdlet.

  • Windows PowerShell Windows PowerShell 
     Get-ADUser –Identity "UserName" -Properties * |
 Where-Object { $_.PasswordLastSet -ne $null } |
ft Name, PasswordLastSet
  • Use the below cmdlet to get the last password change date for all users in Active Directory.
  • Windows PowerShell Windows PowerShell 
     Get-ADUser -Filter * -Properties * |
Where-Object { $_.PasswordLastSet -ne $null } |
ft Name, PasswordLastSet
Check Last Password Change Date Using Windows PowerShell
AdminDroid Active Directory Reporting

Simplify account management by tracking user password changes!

AdminDroid’s Active Directory reporting tool simplifies user password management and stands as a user-friendly solution for admins. Here are some of the unique insights this tool provides to ensure effective password management in Active Directory.

Stay Ahead of Password Expiry to Prevent Account Lockouts

Monitor users with soon-to-expire passwords and send timely reminders to ensure uninterrupted access and avoid unexpected lockouts.

Minimize Security Risks by Monitoring Accounts without Password Authentication

Review password not required users and enforce password creation or update policy settings for these users to reduce account compromise risks.

Ensure Compliance by Identifying Users with Unchanged Passwords

Identify users who have never changed their passwords and encourage them to update their passwords, which align with the organization’s policy requirements.

Gain Complete Visibility into User Password Configurations

Access a comprehensive report on users password details to gather all user’s password related information in one place without navigating through multiple reports.

Detect and Act on Password Reset Failures with Advanced Alerting

Set up an alert policy with AdminDroid to get notified of password reset failures and investigate any unusual number of failures to stay secure from potential threats.

Track Admin Password Reset Activities with Ease

Download the password reset by admins report in required formats like PDF, CSV, HTML, etc., and easily verify whether any unauthorized admins are performing password reset activities.

Overall, with advanced features like intuitive charts, seamless export options, and customizable scheduling, AdminDroid simplifies tracking and managing Active Directory password changes. Thus, Admindroid stands as a comprehensive solution to streamline all your AD monitoring and reporting needs.

Explore a full range of reporting options
Download Live Demo

Important Tips

Regularly monitor directory services restore mode (DSRM) password changes, as it is critical for accessing the Directory Services in case of recovery.

Ensure consistent password policy settings across all domain controllers to prevent any discrepancies in user authentication in any DC.

Set account lockout policies to block users from logging in after a specific number of incorrect password attempts and prevent security breaches.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with getting the last password change date of users in the Active Directory.

Error This user account's password has expired. The password must change in order to login.

This error occurs when user password is expired due to organizational password policy requirements.

Fix Follow these steps to reset a user’s password and help them regain access to their account.

Active Directory Users and Computers console»Right-click user»Reset Password»Enter New Password and Confirm Password»Click OK

Error Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.

This error occurs in PowerShell when attempting to import the Active Directory module, but the module cannot be found in the specified directories.

Fix
  • If you are using a domain controller, the Active Directory module is included by default.
  • However, if you are on a domain-joined computer, the module is not installed by default and needs to be added manually.

To check if the module is available on your system, you can run the following command:

//If the module is not listed, you will need to install the RSAT (Remote Server Administration Tools) for Active Directory.
Get-Module -ListAvailable | Where-Object {$_.Name -eq "ActiveDirectory"}

Error Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

This error occurs when the new password does not align with the organization’s password policy.

Fix Contact your administrator to know about your organization’s password requirements and use new password accordingly.

1. How to reset password in Active Directory?

Password resets are essential, particularly when admins handle forgotten and expired passwords. They are also critical when suspicious activity is detected in a user account. Admins can quickly reset the respective user’s password to safeguard against potential risks.

Please follow the steps below to reset user password in Active Directory.

How to reset password in Active Directory?

  • Open Active Directory Users and Computers console.
  • Right click on the desired user and click ‘Reset Password’.
  • Enter the New password and Confirm password.
  • Then, click Ok to complete the password reset in AD.
reset-password

Additionally, you can enforce the option ‘User must change password at next login’. You can also Unlock the user’s account if it was locked due to a lockout policy.

How to change user password in Active Directory?

Active Directory users cannot reset their own passwords. However, they can change their password if their account is active and they know the current password. This is particularly useful in situations where users need to update their passwords due to organizational policies or personal security concerns.

Here’s how to change the password in Active Directory:

  • Access a domain-joined machine where you have an active session.
  • Press Ctrl + Alt + Delete and select Change Password from the options.

    Note: If you are connected via Remote Desktop, use Ctrl + Alt + End instead.

  • Enter your current password and the new password in the respective fields.
  • Press Enter to update the password.

2. How to detect password changes in Active Directory?

A common tactic used by malicious actors during a cyber-attack is resetting the user or admin passwords after compromising an account. This grants them the ability to execute harmful actions with ease. Admins must check password change history in Active Directory regularly to detect unusual activities and respond swiftly to ensure security.

Track password changes in Active Directory

  • Open Event Viewer on a domain controller where Active Directory event logs are stored.
  • Navigate to Windows Logs»Security and click on the Filter Current Log from Actions pane .
  • Search for the following event IDs to review details of all password reset and change activities.

    4723 - This event logs when a user changes their account password.

    4724 - This event ID indicates when someone resets a user’s password.

event-viewer-pw-changes

However, the above approach does not provide any preview of the events. So, it can be difficult to navigate through each event to verify whether the password reset/change activities are authorized.

With AdminDroid, you can access the All Password Changes/Resets report with all required stats in a single view.

  • This report includes all essential information like password change date, time, the account for which the password was changed, and more.
  • It also features AI-generated charts for clear insights and improved data visibility. Use the "Password Changed To" chart for a quick overview of accounts with frequent password changes.
password-resets-report

3. How to find bad password attempts in Active Directory?

Bad password attempts are usually considered as harmless login failures caused by incorrect password entries. However, when these attempts occur repeatedly, they may indicate potential security threats like password spray or brute force attacks. Regularly monitoring these events helps admins to detect and prevent such attacks, which keeps the organization’s security intact.

Steps to find bad password attempts by each user

  • Open Active Directory Users and Computers console.
  • Right-click on the required user and select Properties.
  • Go to Attribute Editor tab and scroll down to find the following attributes, which provide information about the user's bad password attempts.
    • badPasswordTime: Indicates the date and time when the user last entered an incorrect password while attempting to log in to the Active Directory.
    • badPwdCount: Represents the total number of failed login attempts caused by incorrect password entries.

Get bad password attempts using PowerShell

Manually verifying bad password attempts for bulk users can be tedious. So, use the following cmdlet to get bad password attempts using PowerShell for all users in AD: 

Get-ADUser -Filter * -Properties *
Select Name, BadPwdCount, LastBadPasswordAttempt
bad-pwd-count

Note: A '0' bad password count indicates that the user has not entered any incorrect passwords while logging into their account.

Effortlessly determine whether the password login failures are a potential attack or a simple user mistake with AdminDroid!

  • With AdminDroid you can effectively monitor the failed logon attempts due to invalid username or password. This will help you to easily identify any potential risk due to the unusual number of incorrect password login failures.
  • You shall utilize AdminDroid’s alerting feature and configure the threshold limits to receive instant alerts when failed attempts exceed the limit. With these alerts, you can strengthen your password and account lockout policies for better security.
incorrect-password-login-failures

4. How to configure password policy in Active Directory?

Organizations often enable the 'User can change their password' setting to encourage regular password updates or meet compliance requirements. However, this practice can result in users using weak or repetitive passwords, which increases the risk of account compromise. To address this, admins must configure password policy settings that enforce complexity, password length, and other essential criteria to strengthen password security.

Steps to configure domain password policy in Active Directory

  • Open the Group Policy Management Console (GPMC) on your Windows server.
  • Right click on the ‘Default Domain Policy’ and click on the Edit option.
  • Navigate to the Computer Configuration»Policies»Windows Settings»Security Settings»Account Policies.
  • Select Password Policy from the Account Policies section.
  • Configure each policy setting on the right pane, such as password complexity, length, and expiration as per your requirement.
  • The default domain password policy settings are as follows.
    default-policy-configurations
  • You shall also consider the following password policy best practices. Then, click apply and save the changes to enforce password policy in Active Directory.
password-policy-configurations

As an admin, checking current password requirements in Active Directory is crucial to ensure they align with your organizational needs. It also helps identify areas that may need additional configurations for improved security.

  • Utilize ‘Password Policy Check' report in AdminDroid, for a clear overview of the current password requirements in Active Directory.
  • This report helps you identify outdated settings and plan new security measures to strengthen your password policies.
  • AdminDroid also allows you to track domain wide password policy changes with detailed insights, like modification timestamps, accounts involved, modified properties, etc. This makes it easier to track and review new password policy setting changes implemented by other admins.
current-policy-report

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Find Last Password Change Date in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo