Overview #
Pwd-Last-Set attribute (LDAPDisplayName PwdLastSet) represents the date and time that the password for this account was last changed.Pwd-Last-Set attribute is functionally the same as the PwdChangedTime (Except for the LDAPSyntaxes) in many other LDAP Server Implementations as described within Draft-behera-ldap-password-policy
Many people can associate Pwd-Last-Set attribute to the phrase from the MMC Account Tab: User Must Change Password at Next Logon
In Microsoft Active Directory the value is stored as a LargeInteger. If this value is set to 0 and the User-Account-Control Attribute does not contain the DONT_EXPIRE_PASSWORD flag, then the user must set the password at the next logon.
When the administrator clicks the "User must change password at next logon" check-box in Active Directory Users and Computers, the Pwd-Last-Set attribute (PwdLastSet) gets set to 0.
CN | Pwd-Last-Set |
Ldap-Display-Name | pwdLastSet |
Size | 8 bytes |
Update Privilege | This value is set by the system. |
Update Frequency | Each time the password is changed. |
Attribute-Id | 1.2.840.113556.1.4.96 |
System-Id-Guid | bf967a0a-0de6-11d0-a285-00aa003049e2 |
Syntax | Interval |
Implementations #
- Windows 2000 Server
- Windows Server 2003
- ADAM
- Windows Server 2003 R2
- Windows Server 2008
Pwd-Last-Set attribute is normally the same as PwdChangedTime in other LDAP Server Implementations as described within Draft-behera-ldap-password-policy
Modifications to Pwd-Last-Set attribute #
The only values that can be set are:- 0 - To set "User Must Change Password at Next Logon", set the pwdLastSet attribute to zero (0). This is as if the Pwd-Last-Set attribute=True - which is an implementation of Password MUST Change condition.
- -1 - setting the Pwd-Last-Set attribute attribute to -1 which will effectively set the Pwd-Last-Set attribute to the current time and remove the "User Must Change Password at Next Logon" restriction.
- The Pwd-Last-Set attribute attribute cannot be set to any other values except by the system.