This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 84%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We are looking at methods to identify whether a user has changed their Windows account password (Local or Domain account). Is there any foolproof way we can determine whether password has been changed?
We got to know that using Windows NT Authority command 'net user' and checking the 'password last set' value we will get this information. However we have also found that there are tools through which it is possible to modify these values and manipulate the output of the command, which makes using the password last set value as unreliable. Also can we reliably compare the windows account password hashes of old and new passwords and determine that password has been changed ? i.e. can we assume administrator cannot revert back to old password hash temporarily after logging to disguise the password change?
Hi @Researcher ,
Domain
You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.
Local
Open the command prompt window as administrator.
Type the following command.
net user %username%
Also can we reliably compare the windows account password hashes of old and new passwords and determine that password has been changed ? i.e. can we assume administrator cannot revert back to old password hash temporarily after logging to disguise the password change?
On domain members and workstations, local user account password hashes are stored in a local Security Account Manager (SAM) Database located in the registry. They are encrypted using the same encryption and hashing algorithms as Active Directory.
So, it's not possible to compare hashes.
Hi @T. Kujala ,
We have already found out that the value of 'PwdLastSet' can be checked using 'net user' command (has been mentioned in our question). What we were looking for was whether it can be manipulated using any malicious tool/hacker - that is, whether someone can actually change the password, yet leave the 'PwdLastSet' value unchanged to indicate that there has not been any change in the password.
As per this link, the password hashes can be extracted and compared. using Rainbow techniques, even though they are stored in local Security Account Manager (SAM) Database.
I am confused, I get 3 different dates from 3 different places.
1: NET USER xadministrator
---------- Password last set 5/11/2023 3:05:55 PM
2: NET USER xadministrator /Domain
---------- Password last set 5/4/2023 6:18:59 PM
3: In Active Directory, I navigated to the Computer properties, scroll down in the list of Attributes:
---------- pwdLastSet 4/15/2023 7:46:18
Can Microsoft explain and clarify how do I query to find out the correct PasswordLastChanged for the local admin account?
One thing I have to say that the local admin accounts are disabled on every computer. Maybe that has something to do with it?
Thanks you in advance :)