Overview #The Microsoft Active Directory attribute Pwd-Last-Set attribute represents the date and time that the password for this account was last changed.
Many people can associate Pwd-Last-Set attribute to the phrase from the MMC Account Tab: User Must Change Password at Next Logon
In Microsoft Active Directory the value is stored as a LargeInteger. If this value is set to 0 and the User-Account-Control Attribute does not contain the DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
When the administrator clicks the "User must change password at next logon" check-box in Active Directory Users and Computers, the pwdLastSet gets set to 0.
|Update Privilege||This value is set by the system.|
|Update Frequency||Each time the password is changed.|
- Windows 2000 Server
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
Modifications to Pwd-Last-Set attribute #The only values that can be set are:
- 0 - To set "User Must Change Password at Next Logon", set the pwdLastSet attribute to zero (0). This is as if the Pwd-Last-Set attribute=True - which is an implementation of Password MUST Change condition.
- -1 - setting the Pwd-Last-Set attribute attribute to -1 which will effectively set the Pwd-Last-Set attribute to the current time and remove the "User Must Change Password at Next Logon" restriction.
- The Pwd-Last-Set attribute attribute cannot be set to any other values except by the system.