Pwd-Last-Set attribute
Applies to: desktop apps only
The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
| CN | Pwd-Last-Set |
|---|---|
| Ldap-Display-Name | pwdLastSet |
| Size | 8 bytes |
| Update Privilege | This value is set by the system. |
| Update Frequency | Each time the password is changed. |
| Attribute-Id | 1.2.840.113556.1.4.96 |
| System-Id-Guid | bf967a0a-0de6-11d0-a285-00aa003049e2 |
| Syntax | Interval |
Implementations
- Windows 2000 Server
- Windows Server 2003
- ADAM
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 8 Beta
Windows 2000 Server
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
Windows Server 2003
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
ADAM
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | ms-DS-Bindable-Object |
Windows Server 2003 R2
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
Windows Server 2008
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
Windows Server 2008 R2
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
Windows Server 8 Beta
| Link-Id | - |
|---|---|
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | User |
Remarks
The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure.
See also
Send comments about this topic to Microsoft
Build date: 2/3/2012
C# code
[SecurityCritical]
public void ExpirePasswordNow(DirectoryEntry de, string sUserName)
{
try
{
string attribute = "pwdLastSet";
int value = 0;
de.RefreshCache(new string[] { attribute });
de.Properties[attribute].Value = value;
de.CommitChanges();
}
catch (COMException exception)
{
throw ExceptionHelper.GetExceptionFromCOMException(exception);
}
finally
{
if (de != null)
{
de.Dispose();
}
}
}
public void ExpirePasswordNow(DirectoryEntry de, string sUserName)
{
try
{
string attribute = "pwdLastSet";
int value = 0;
de.RefreshCache(new string[] { attribute });
de.Properties[attribute].Value = value;
de.CommitChanges();
}
catch (COMException exception)
{
throw ExceptionHelper.GetExceptionFromCOMException(exception);
}
finally
{
if (de != null)
{
de.Dispose();
}
}
}
- 12/30/2011
- volnet
PS/VSB
You need to first change pwdLastSet to "0" before changing it to "-1".
VBS:
strUserDN = "CN=some user,CN=Users,DC=example,DC=org"
Set objUser = GetObject("LDAP://" & strUserDN)
' Set to "change at next logon" (1601-01-01)
objUser.Put "pwdLastSet", 0
objUser.SetInfo
' Set to Now()
objUser.Put "pwdLastSet", -1
objUser.SetInfo
Set objUser = Nothing
PowerShell:
Import-Module ActiveDirectory
$user = Get-ADUser -Filter {sAMAccountName -eq 'someuser'}
$uObj = [ADSI]"LDAP://$user"
$uObj.put("pwdLastSet", 0)
$uObj.SetInfo()
$uObj.put("pwdLastSet", -1)
$uObj.SetInfo()
- 7/25/2011
- Yet Another Jason Scott
And in Windows Script?
I don't know how to change it in PowerShell, but I'm looking at how to
change it in Windows Script. I'm still reading an article at
http://msdn.microsoft.com/en-us/library/ms974598.aspx at this very
moment I write this comment. The article is very long. Hope the answer
is there.
- 4/12/2011
- Horinius
