Skip navigation

Q. How can I run a report that displays the last password change for all accounts in a container?

A. The last-password-change date is stored in the user class's Active Directory (AD) pwdLastSet attribute as a large (64-bit) integer, which means the date must be converted so that it can be read and displayed in a usable "date" format. To perform the conversion, I modified a script by Richard Mueller so that it searches for all users in the passed root distinguished name and outputs their last-password-change date to a screen. You can download the script, listuserpasslastchange.vbs, or copy and paste the following script into a text file.

' John Savill
' This is based on Richard Mueller's script on Interger8Date
' conversion, which is copyrighted as below.
' Copyright (c) 2003 Richard L. Mueller
' Hilltop Lab Web site -
' I simply changed it to output all objects in a passed DN.

Option Explicit

Dim strLdapPath, objConnection, objChild
Dim lngTZBias, objUser, objPwdLastSet
Dim objShell, lngBiasKey, k

' Check that all required arguments have been passed
If Wscript.Arguments.Count  0 Then
    On Error GoTo 0
    Integer8Date = #1/1/1601#
  End If
  On Error GoTo 0
End Function

To run the script, use the syntax

cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test

You'll see output that's similar to this:

CN=Bruce Wayne       11/17/2003 1:30:14 PM
CN=Clark Kent        11/17/2003 1:31:30 PM
CN=Hal Jordan        12/6/2004 2:52:56 PM
CN=Wally West        3/17/2003 9:04:45 AM
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.