Many companies have a policy that requires a user to change their (Active Directory) password every so many days. Commonly used intervals are 30, 45, 60, or 90 days but it can be anything. This is usually set via Maximum Password Age in a Group Policy Object (GPO), which is distributed to all workstations in a corporate environment. This allows for password expiry. The way this works is that each user (object) has an attribute called “pwdLastSet” (password last set) that holds the last date and time the user or admin changed the password. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC).
Resetting the date
A password is considered expired when the password is older than the maximum password age policy dictates. An expired password no longer grants access to resources. However, in specific cases, it may be needed to extend an account’s password without the user or an admin changing the password.
The way to do that is to update the pwdLastSet value in Active Directory. This attribute is protected: it is possible to set the pwdLastSet attribute value on the Active Directory account to today’s date only. It is not possible to enter a specific date.
Allowed modifications to pwdLastSet attribute
The values that can be set are:
To set “User Must Change Password at Next Logon”, set the pwdLastSet attribute to zero (0).
– or-
To effectively set the attribute to the current time, set the pwdLastSet attribute to -1.
The attribute cannot be set to any other values except by the system.
How to modify the attribute
First, make sure your account has the privileges to update the user object.
- From Active Directory Users & Computers, make sure Advanced Features is enabled. This only needs to be done once.
- Navigate to the user’s account. You should find an Attribute Editor tab. Do not use the search function as opening an account from there will not show the Attribute Editor tab.
- Go to the pwdLastSet field. Modify it by entering 0 as a value. This sets the value to (Never) as in the password has never been set. Click OK to close the box.
- Open the User’s Account Properties again. Go back to the Attribute Editor tab. Again, scroll to pwdLastSet and enter -1. (You cannot set -1 until you first clear it out with 0 in the previous step.) Close the box again.
- When you now open the properties again and view the pwdLastSet value, it will indicate today’s date.
That’s it. You have now extended the time the same password can be used, without the need to know what the password actually is. Note that this should be considered a workaround and possibly against your company policies.
If you want to read more about why password expiration is no longer considered best practice, Lance Spitzner has written an excellent article about it here.