VBScript program to retrieve the password information for one user. The user Distinguished Name is hard coded in the program. The program outputs the date the user last changed their password, the domain maximum password age policy in days, whether the user is allowed to change their password, and whether the password is expired. The user is allowed to change their password if the flag "User cannot change password" is not set, and the flag "Password never expires" is also not set.

The PwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number, which cannot be handled directory by VBScript. Instead, the LDAP provider allows us to treat the attribute as an object and provides HighPart and LowPart methods that break the number into two 32-bit components. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.

PwdLastSet.txt <<-- Click here to view or download the program

An equivalent PowerShell script, which can be run in PowerShell V1 or V2:

PSPwdLastSet.txt <<-- Click here to view or download the program