Overview #
The Microsoft Active Directory attribute Pwd-Last-Set attribute represents the date and time that the password for this account was last changed.Many people can associate Pwd-Last-Set attribute to the phrase from the MMC Account Tab: User Must Change Password at Next Logon
In Microsoft Active Directory the value is stored as a LargeInteger. If this value is set to 0 and the User-Account-Control Attribute does not contain the DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
When the administrator clicks the "User must change password at next logon" check-box in Active Directory Users and Computers, the pwdLastSet gets set to 0.
| CN | Pwd-Last-Set |
| Ldap-Display-Name | pwdLastSet |
| Size | 8 bytes |
| Update Privilege | This value is set by the system. |
| Update Frequency | Each time the password is changed. |
| Attribute-Id | 1.2.840.113556.1.4.96 |
| System-Id-Guid | bf967a0a-0de6-11d0-a285-00aa003049e2 |
| Syntax | Interval |
Implementations #
- Windows 2000 Server
- Windows Server 2003
- ADAM
- Windows Server 2003 R2
- Windows Server 2008
Modifications to Pwd-Last-Set attribute #
The only values that can be set are:- 0 - To set "User Must Change Password at Next Logon", set the pwdLastSet attribute to zero (0). This is as if the Pwd-Last-Set attribute=True - which is an implementation of Password MUST Change condition.
- -1 - setting the Pwd-Last-Set attribute attribute to -1 which will effectively set the Pwd-Last-Set attribute to the current time and remove the "User Must Change Password at Next Logon" restriction.
- The Pwd-Last-Set attribute attribute cannot be set to any other values except by the system.
