VBScript program to output all users in the domain with the date and time that each last changed
their password. If passwords expire for all users, this program can be used to identify old unused
accounts that can be disabled and eventually deleted.
This program uses the pwdLastSet attribute to determine when the password was last set. Because
this attribute is replicated, the program only has to search Active Directory on one Domain Controller to get the correct value for every user. This makes the program faster than one that
retrieves the lastLogon attribute, which is not replicated. However, if some users are not required
to periodically change their password, then a program that retrieves lastLogon is the only method
available to identify unused accounts.
The Distinguished Name of each user, whether their password expires, and the pwdLastSet date for
each user is output on a separate line delimited by a semicolon. The output is written to a text
file, which can be easily read by a spreadsheet program like Microsoft Excel. The filename is a
required parameter for the program.
The pwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a
64-bit number, which cannot be handled directly by VBScript. However, the LDAP provider
IADsLargeInteger interface exposes the HighPart and LowPart methods that break the number into
two 32-bit components. The resulting value represents the number of 100 nanosecond intervals
since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal
Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert
to local time.
The program can be modified to retrieve the pwdLastSet attribute for all computer objects. All
computers with Windows NT and above log into the domain when they startup. By default, the system
forces each computer to change its password every 30 days. The pwdLastSet attribute can be used to
identify old computer accounts that may no longer be needed. The program itself includes the
alternative code to do this, commented out. Alternatively, you can use the program
"MoveOldComputers" listed under "Free VBScript Code", "AD Searches"
in this web site.
The program can be run at a command prompt with the cscript host. The name of the output text file
is a required parameter. For example:
cscript //nologo PwdLastChanged.vbs "c:\MyFolder\Report.txt"
PwdLastChanged.txt <<-- Click here to view or download the program
An equivalent PowerShell script, which can be run in PowerShell V1 or V2:
PSPwdLastChanged.txt <<-- Click here to view or download the program