Q. How can I run a report that displays the last password change for all accounts in a container?

A. The last-password-change date is stored in the user class's Active Directory (AD) pwdLastSet attribute as a large (64-bit) integer, which means the date must be converted so that it can be read and displayed in a usable "date" format. To perform the conversion, I modified a script by Richard Mueller so that it searches for all users in the passed root distinguished name and outputs their last-password-change date to a screen. You can download the script, listuserpasslastchange.vbs, or copy and paste the following script into a text file.

' John Savill' This is based on Richard Mueller's script on Interger8Date' conversion, which is copyrighted as below.' Copyright (c) 2003 Richard L. Mueller' Hilltop Lab Web site - http://www.rlmueller.net'' I simply changed it to output all objects in a passed DN.Option ExplicitDim strLdapPath, objConnection, objChildDim lngTZBias, objUser, objPwdLastSetDim objShell, lngBiasKey, k' Check that all required arguments have been passedIf Wscript.Arguments.Count  0 Then    On Error GoTo 0    Integer8Date = #1/1/1601#  End If  On Error GoTo 0End Function

To run the script, use the syntax

cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test

You'll see output that's similar to this:

CN=Bruce Wayne       11/17/2003 1:30:14 PMCN=Clark Kent        11/17/2003 1:31:30 PMCN=Hal Jordan        12/6/2004 2:52:56 PMCN=Wally West        3/17/2003 9:04:45 AM