Share via

Missing PasswordLastSet

Mikhail Firsov 1,881 Reputation points
2022-05-25T14:46:10.267+00:00

Hello!

Would anyone please tell me in which cases the PasswordLastSet attribute may be blank (or = Never if seen in ADSI Edit) for the accounts that do have the LastLogonDate attribute?

In other words, how the PasswordLastSet may be missing if the LastLogonDate displays some date?

I know just one method to make PasswordLastSet attribute empty - to check the "User must change password at next logon", but as far as I get it once the LastLogonDate is populated that user must have logged on at least once. Am I missing anything here?

I'm using this command:
Get-ADUser ... LastLogonDate, PasswordLastSet

Thank you in advance,
Michael

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Newbie Jones 1,386 Reputation points
    2022-06-06T10:49:26.383+00:00

    from the blurb.

    The PasswordLastSet PowerShell property is based on the pwdLastSet AD attribute.
    The pwdLastSet attribute is a LargeInteger where dates are represented as the number of ticks (100-nanosecond intervals) since 12:00 am January 1, 1601. The PasswordLastSet property converts the LargeInteger into a datetime in the curren time zone.
    If the password has never been set, then pwdLastSet is 0 and PasswordLastSet is missing. If you check "User must change password at next logon" in ADUC, the system assigns 0 to pwdLastSet, and again PasswordLastSet will be missing.
    If you have users with a recent value for LastLogonDate, but a missing PasswordLastSet, then that means the user must change their password at their next logon and pwdLastSet is 0.

    My initial thought when reading this was whether this attribute is replicated or not.

    I found the following, which I haven't verified but could be part of the issue.

    Now, keep in mind that PasswordLastSet is a replicated field, but it replicates on an extremely slow schedule. What this means is the value could be as old as 11 days! In a smaller environment it's pretty up to date, but the more domain controllers you have the closer to that worst case scenario you get (11 day old data)

    This may means that you need code to check each domain server and return the highest\latest value.

    Based on this. Can you check the pwdLastSet for the accounts where PasswordLastSet is blank? Is it actually set to 0?
    You can add this attribute to your Get-ADUser query to check. You could also check each domain controller by using -server in the command just see if they are different.

    0 comments
  2. Newbie Jones 1,386 Reputation points
    2022-06-06T11:11:58.35+00:00

    I've just updated a function that I had for returning LastLogon dates (which isn't a replicated attribute).

    Try it and see if it returns information where you had blanks before.

    Function Get-PasswordLastSet {
    <#
    .SYNOPSIS
    Returns PasswordLastSet information
    .DESCRIPTION
    Queries the PasswordLastSet information for a user across domain controllers and returns the highest (latest) value
    .EXAMPLE
    Get-PasswordLastSet User
    .EXAMPLE
    Get-PasswordLastSet -Identity User
    .EXAMPLE
    Get-ADUser User | Get-PasswordLastSet
    .EXAMPLE
    Get-PasswordLastSet User1, User2
    .PARAMETER users
    List of users - pipeline can be used
    #>

    [CmdletBinding()]
    param
    (
    [Parameter(Position= 0,
                Mandatory=$True,
                    ValueFromPipeline=$True,
                        HelpMessage='For what user would you like to find the PasswordLastSet attribute?')]
    $identity
    )

    Begin {}

    Process {

        Foreach ($account in $identity) {

            $dateStamp = $null
            $domainController =$null

            # filter used to remove Azure domain controllers
            Get-ADDomainController -Filter {Site -eq "xyz"} | Foreach {

                $dc = $_.HostName

                $PasswordLastSet = (Get-ADUser $account -Properties PasswordLastSet -server $dc).PasswordLastSet

                If ($dateStamp -le $PasswordLastSet)
                    {
                    $dateStamp = $PasswordLastSet
                    $domainController = $dc
                    }

            } # End of ForEach

            $properties = @{
            Name=$account;
            PasswordLastSet=$dateStamp;
            DomainController=$domainController}

            New-Object -TypeName PSObject -Prop $properties

        } # End of ForEach

    } # End of Process

    End {}          

} # End of Function
    0 comments
  3. Mikhail Firsov 1,881 Reputation points
    2022-06-06T14:18:50.657+00:00

    Thank you all for your replies!

    Sorry for disturbing you... I've found out that checking "User must change password at next logon" does make the PasswordLastSet attribute blank.

    NewbieJones-6218, thank you for the function!

    regards,
    Michael

  4. Mikhail Firsov 1,881 Reputation points
    2022-06-07T10:31:32.17+00:00

    Thank you all once again!

    Regards,
    Michael

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.