Review accounts where the attribute "pwdlastset" has a zero value

Why Consider this

This flag on an account may be an indication of a stale account or an account created without a password.

Watch a Customer Engineer explaining the issue

Context & Best Practices

User accounts can be flagged with pwdlastset=0 under three conditions:

  • Where an account has been created but a password has not been assigned.
  • Where an account has been created and the administrator has assigned a password but selected the option to change password at next logon.
  • Where the administrator has selected the option to require a user to change their password at the next logon as part of managing that user’s account, such as after a password reset.

This condition is detected by querying the user accounts and finding out instances where the value for passwordLastSet is zero.

You should regularly scan for and identify accounts whose pwdlastset attribute is 0. Check your user account provisioning processes and ensure that there is no significant gap between provisioning a new user account and that account logging into the domain and resetting its password, as well as the less common condition of an account created with no password, then later enabled.

Suggested Actions

You should regularly scan for and identify accounts where pwdlastset=0. The following script lists all accounts meeting the condition of this rule.

Get-ADObject -Filter 'objectcategory -eq "person" -and objectclass -eq "user" -and -not useraccountcontrol -Band 2 -and pwdlastset -eq 0 -and objectsid -notlike "-501"'

Check that these accounts are not stale and if necessary, disable and then delete these accounts.

Have feedback?

If you have general feedback on the Resource Center or its content, contact your Microsoft representative. If you have any specific requests or content updates for Services Hub, contact our Support Team.