How To check When Was The Last Time A User Changed His AD Password

Remind users to change their domain password is important to prevent security vulnerabilities on the network. there are many password reset and password change reminder tools out there that you can use to remind people to change their password, but if you have a tight budget, and a small users database in your AD, this script probably will work for you.

Windows 2003 domain controllers have limited options when it comes to password change policies. when you are implementing a password change policy for the first time, probably some users have not changed their passwords for years, and in AD 2003 there is no option to specify when you want the accounts to expire, basically if the policy is pushed out, and accounts in AD are not set to “ Password never expires” users will have to change their password at the next logon, otherwise they won’t be able to login to the computer. this also creates a problem for users outside the network. consultants, remote users, and other people that work outside the network that access email, VPN etc. won’t be able to change their password and will be locked out of the network. this will create a chaos, and believe me, is no picnic to be in IT when that happens.

to avoid this chaos, is better to remind users to change their password ahead of time via email. so the first thing you need to do is check who are those users that haven’t changed their password for awhile, and probably remind those people first. there is a very efficient and simple script I found on this website http://www.rlmueller.net/ to do that beautifully. download the script from here

remove the .txt extension at the end of the file, and change the path of the drive where you want to save the report on line 37 in the script:

If (Wscript.Arguments.Count < 1) Then
Wscript.Echo “Arguments <expirepass.text> required. For example:” & vbCrLf _
& “cscript PwdLastChanged.vbs c:passwdexpiredpass.txt
Wscript.Quit(0)
End If

after you do that, execute the file from the run command by typing this command:

cscript c:passwdgetpassword.vbs “c:filenameReport.txt

you should get a nice report of all the accounts in AD. it looks crappy, because it grabs all LDAP details, but you can import that data into Excel and divide the fields, and remove the stuff you don’t need. the report should also include the dates when was the last time your AD users changed their password.

there it is. if you need more help on your password change policy setup, let me know.