Got this question in the mailbag today, thought I would share as it is common question
I’m looking for a reference or some lead on how I can comprehensively report the date of the last time all user accounts passwords in AD were reset. I was wondering if you could point to something out there.
My response
You can dump when accounts had their password changed, but that includes password changes as well as password resets… i.e. if someone changed a password by supplying the old password or if there was an administrative action. There is no way outside of the audit log to determine when accounts were reset only.
If you just need to know when all passwords were last changed, you can do something like
adfind -b dc=domain,dc=com -f “&(objectcategory=person)(objectclass=user)” pwdlastset -tdcs