Share via

How to Get-Aduser password last set by an administrative account

Roberto Ciccariello 20 Reputation points
2025-10-02T08:36:29.39+00:00

With the "Windows Command Prompt" command 

net user /domain <samaccountname>

I get the "password last set" that is the last date when or the user change his password or an aministrative account set a new password on behalf of the user.

Instead if I use the powershell command 

 Get-ADUser -Identity $SAMAccountName -Properties PasswordLastSet

I get only the last date when the user change his password, but:

  • if the user never changed the first password assigned by an aministrative account then with the powershell command I don't get a "password last set" (differently from the "Windows Command Prompt" command "net user /domain <samaccountname>")
  • if the user changed his password and after an aministrative account set a new password on behalf of the user, then with the powershell command I get the last date when the user changed his password and not the date when the password was reset from an administrative account (differently from the "Windows Command Prompt" command "net user /domain <samaccountname>")

So I want to know how to obtain with powershell the same behavior as the command "net user /domain <samaccountname>": I want to get the most recent date beetwen the last date the user changed his password and the last date an administrative account set the user password on behalf of the user.

Thanks,
Roberto

Windows for business | Windows Server | User experience | PowerShell
0 comments
Answer accepted by question author
  1. Quinnie Quoc 5,835 Reputation points Independent Advisor
    2025-10-02T09:33:11.7+00:00

    Hi Roberto,

    To retrieve the full picture, including administrative resets, PowerShell doesn’t directly expose this through PasswordLastSet. Instead, you can query the domain controller’s security event logs for password change (event ID 4723) and password reset (event ID 4724), then compare timestamps. This approach gives you the most recent password activity—whether by the user or an admin.

    Alternatively, some environments use auditing or SIEM tools to track these events more efficiently. If you'd like, we can help craft a script to parse those logs and extract the relevant dates.

    Let us know how you'd like to proceed—we’re happy to support you further.

    If my answer is useful for you, please vote for it.

    Best regards,

    Quinnie Quoc.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.