Hi @Researcher ,
Domain
You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.
Local
Open the command prompt window as administrator.
Type the following command.
net user %username%
Also can we reliably compare the windows account password hashes of old and new passwords and determine that password has been changed ? i.e. can we assume administrator cannot revert back to old password hash temporarily after logging to disguise the password change?
On domain members and workstations, local user account password hashes are stored in a local Security Account Manager (SAM) Database located in the registry. They are encrypted using the same encryption and hashing algorithms as Active Directory.
So, it's not possible to compare hashes.