How to Find Last Password Change Date with or without PowerShell

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Open the PowerShell ISE → Run the following script, using the  –identity parameter to specify the user account that you want to know the password last set date for:

-identity * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires

  1. Review the results in the console:
Find Last Password Change Date with PowerShell
  1. You can export this data to a csv file by adding the command “| Out-File C:\lastpasswordset.csv” to the end of the script.
  1. Run Netwrix Auditor → Navigate to “Search” → Select the following filters:
    • Data source Equals Active Directory
    • Details Contains password
    • What Contains user name (for example, Anna Gold)
  2. Click “Search”.

    The output is sorted by the “When” parameter, so the top event will show the last password set date and time.
Find Last Password Change Date with Netwrix Auditor
  1. If you want to save this report, click the “Tools” button → Click “Export data” → Choose a file type from the dropdown menu and the path for the file → Click "Export".

Get Last Password Change Date in a Couple of Clicks

Requiring regular user account password changes is one of the most basic password security best practices. It protects user accounts from being accessed using old credentials gleaned from phishing or other attacks on a Microsoft Windows machine or Windows server. Therefore, a password change policy is required in every organization.

Getting user last password change date is helpful when troubleshooting an account lockout or investigating a cyber attack. If you have enough PowerShell knowledge and experience, you can see password last set date by creating and running a script using the get-aduser cmdlet. But using PowerShell to check the last password change date is not terribly useful because it doesn’t show who changed the password or list how many password changes occurred.

Netwrix Auditor for Active Directory makes it easy to review all password changes for a certain user account, providing details such as who changed the password, when the change occurred,  which workstation it was done from, and how many times the password was changed within a given period of time. Reviewing this report will help you investigate both account lockout issues and attacks. You can also easily create an alert that notifies you in real time whenever the password for a particular user account is changed.

Related How-tos