Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Why Consider this
This flag on an account may be an indication of a stale account, or an account created without a password.
Watch a Customer Engineer explaining the issue
Context & Best Practices
User accounts can be flagged with pwdlastset=0 under three conditions:
- Where an account has been created but a password has not been assigned.
- Where an account has been created, and the administrator has assigned a password but selected the option to change password at next logon.
- Where the administrator has selected the option to require a user to change their password at the next logon as part of managing that user’s account, such as after a password reset.
This condition is detected by querying the user accounts and finding out instances where the value for passwordLastSet is zero.
You should regularly scan for and identify accounts whose pwdlastset attribute is 0. Check your user account provisioning processes and ensure that there is no significant gap between provisioning a new user account and that account logging into the domain and resetting its password, as well as the less common condition of an account created with no password, then later turned on.
Suggested Actions
You should regularly scan for and identify accounts where pwdlastset=0. The following script lists all accounts meeting the condition of this rule.
Get-ADObject -Filter 'objectcategory -eq "person" -and objectclass -eq "user" -and -not useraccountcontrol -Band 2 -and pwdlastset -eq 0 -and objectsid -notlike "-501"'
Check that these accounts are not stale and if necessary, turn off and then delete these accounts.