VBScript program to output all users in the domain with the date and time that each last changed
their password. If passwords expire for all users, this program can be used to identify old unused
accounts that can be disabled and eventually deleted.
This program uses the pwdLastSet attribute to determine when the password was last set. Because this attribute is replicated, the program only has to search Active Directory on one Domain Controller to get the correct value for every user. This makes the program faster than one that retrieves the lastLogon attribute, which is not replicated. However, if some users are not required to periodically change their password, then a program that retrieves lastLogon is the only method available to identify unused accounts.
The Distinguished Name of each user, whether their password expires, and the pwdLastSet date for each user is output on a separate line delimited by a semicolon. The output is written to a text file, which can be easily read by a spreadsheet program like Microsoft Excel. The filename is a required parameter for the program.
The pwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number, which cannot be handled directly by VBScript. However, the LDAP provider IADsLargeInteger interface exposes the HighPart and LowPart methods that break the number into two 32-bit components. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.
The program can be modified to retrieve the pwdLastSet attribute for all computer objects. All computers with Windows NT and above log into the domain when they startup. By default, the system forces each computer to change its password every 30 days. The pwdLastSet attribute can be used to identify old computer accounts that may no longer be needed. The program itself includes the alternative code to do this, commented out. Alternatively, you can use the program "MoveOldComputers" listed under "Free VBScript Code", "AD Searches" in this web site.
The program can be run at a command prompt with the cscript host. The name of the output text file is a required parameter. For example:
cscript //nologo PwdLastChanged.vbs "c:\MyFolder\Report.txt"
PwdLastChanged.txt <<-- Click here to view or download the program
An equivalent PowerShell script, which can be run in PowerShell V1 or V2:
PSPwdLastChanged.txt <<-- Click here to view or download the program