Active Directory

How to find password age in Active Directory

Posted by daro on June 03, 2014
Active Directory, Windows / 4 Comments


Finding password age in Active Directory doesn’t have to be all that complicated

1. Net user

Open up command prompt and issue following command:

net user username /domain

Where username is an AD logon name of a user. Output of this command should look like this:

net user

Last logon entry visible in above screenshot can also be found in ADUC by navigating to user’s account and going to Attribute Editor tab as below:


There is a controversy over which attribute should be used, whether it should be lastLogon or lastLogonTimestamp. In my case lastLogon attribute is more accurate. Another quick way to do this is to use Lockout status tool provided by Microsoft.

2. Lockout Status tool

Bear in mind that in order to use this tool on a client machine rather than a server you would have to have RSAT installed.