How to find password age in Active Directory

Posted by daro on June 03, 2014
Active Directory, Windows


Finding password age in Active Directory doesn’t have to be all that complicated

1. Net user

Open up command prompt and issue following command:

net user username /domain

Where username is an AD logon name of a user. Output of this command should look like this:

net user

Last logon entry visible in above screenshot can also be found in ADUC by navigating to user’s account and going to Attribute Editor tab as below:


There is a controversy over which attribute should be used, whether it should be lastLogon or lastLogonTimestamp. In my case lastLogon attribute is more accurate. Another quick way to do this is to use Lockout status tool provided by Microsoft.

2. Lockout Status tool

Bear in mind that in order to use this tool on a client machine rather than a server you would have to have RSAT installed.



4 Comments to How to find password age in Active Directory

  • When I type in this command I get this output:
    PS C:\Windows\system32> net user MyDomain\MyUsername /domain
    The syntax of this command is:

    [username [password | *] [options]] [/DOMAIN]
    username {password | *} /ADD [options] [/DOMAIN]
    username [/DELETE] [/DOMAIN]
    username [/TIMES:{times | ALL}]

  • Got the same nuissance that George Davey ,
    effectively when using
    >net user user_name /domain

    I was also confused by /domain, putting my domain name instead of “/domain”

    its a ms word game

    thanks for the hint, very useful

  • Just run this from Cmd as Admin while logged in the same domain:

    Net User MyAccountName /Domain

    Only replace MyAccountName with the account you want to query. Leave /Domain as is.

    Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month [email protected] *