Powershell: When was the password last reset for the Local Administrator Account?

Page content

In my last post (found here) I wrote about how to determine the account name of the local administrator account on a computer. Now that we know the account name, when did the password last change on that account?

Managing local accounts on computers (clients or servers) can be a hassle and one thing that makes auditing a little bit simpler is to find out how old the password for a local user on a machine is. The function Get-SWLocalAdmin in my last post returns an object of the type UserPrincipal which has a lot of interesting properties such as LastPasswordSet which returns a DateTime object telling us when the password was last set.

If we already know the name of the account we want to query for or if we want to query for another account than the builtin administrator account we can use the function Get-SWLocalPasswordLastSet below which will return a DateTime object.

function Get-SWLocalPasswordLastSet {
    param (
    Try {
        Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
        $PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $ComputerName)
        $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $UserName)
    Catch {
        Write-Warning -Message "$($_.Exception.Message)"

The UserPrincipal object also has a lot of other interesting properties like Enabled, BadLogonCount and LastLogon and some methods worth noting, like Delete, ExpirePasswordNow, GetGroups, ChangePassword and SetPassword.

To read more about UserPrincipal class please see MSDN at: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal(v=vs.110).aspx

Next time we will look closer on how to reset the password on a local account and how to verify that the password was set (or only verify that the password is what we expect it to be).