Pwd-Last-Set attribute

Overview #

The Microsoft Active Directory attribute Pwd-Last-Set attribute represents the date and time that the password for this account was last changed.

Many people can associate Pwd-Last-Set attribute to the phrase from the MMC Account Tab: User Must Change Password at Next Logon

In Microsoft Active Directory the value is stored as a LargeInteger. If this value is set to 0 and the User-Account-Control Attribute does not contain the DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.

When the administrator clicks the "User must change password at next logon" check-box in Active Directory Users and Computers, the pwdLastSet gets set to 0.  

Size8 bytes
Update PrivilegeThis value is set by the system.
Update FrequencyEach time the password is changed.

Implementations #

  • Windows 2000 Server
  • Windows Server 2003
  • ADAM
  • Windows Server 2003 R2
  • Windows Server 2008

Modifications to Pwd-Last-Set attribute #

The only values that can be set are:
  • 0 - To set "User Must Change Password at Next Logon", set the pwdLastSet attribute to zero (0). This is as if the Pwd-Last-Set attribute=True - which is an implementation of Password MUST Change condition.
  • -1 - setting the Pwd-Last-Set attribute attribute to -1 which will effectively set the Pwd-Last-Set attribute to the current time and remove the "User Must Change Password at Next Logon" restriction.
  • The Pwd-Last-Set attribute attribute cannot be set to any other values except by the system.

MMC Account Tab #

The values for this can be set within the MMC on the MMC Account Tab as: User Must Change Password at Next Logon .

More Information #

There might be more information for this subject on one of the following: