VBScript program to output all users in the domain with the date and time that each last changed their password. If passwords expire for all users, this program can be used to identify old unused accounts that can be disabled and eventually deleted.
This program uses the pwdLastSet attribute to determine when the password was last set. Because this attribute is replicated, the program only has to search Active Directory on one Domain Controller to get the correct value for every user. This makes the program faster than one that retrieves the lastLogon attribute, which is not replicated. However, if some users are not required to periodically change their password, then a program that retrieves lastLogon is the only method available to identify unused accounts.
The Distinguished Name of each user, whether their password expires, and the pwdLastSet date for each user is output on a separate line delimited by a semicolon. The output is written to a text file, which can be easily read by a spreadsheet program like Microsoft Excel. The filename is a required parameter for the program.
The pwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number, which cannot be handled directly by VBScript. However, the LDAP provider IADsLargeInteger interface exposes the HighPart and LowPart methods that break the number into two 32-bit components. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.
The program can be run at a command prompt with the cscript host. The name of the output text file is a required parameter. For example:
cscript //nologo PwdLastChanged.vbs “c:\MyFolder\Report.txt”