Is there a way to tell when a user last changed their password?
Printable View
Is there a way to tell when a user last changed their password?
Errr,
I take it we are talking Windows?......which version of NT... (the question is obviously irrelevant to 9x/ME)
I have always worked with software that would tell the user to change their password.....I never bothered to find out if it recorded when this was done............just forced it once every "x" days?
Not too sure of your requirement here, more info please? A 28 day enforced change cycle is quite reasonable.....but I am not sure if the actual change is monitored?...for higher levels of security I would also like the MAC addy of the box, any net connection details & so on? preferably can only be done at your personal workstation?
I think that you might be heading in an interesting direction here?
Keep it going please :)
EDIT: I remember seeing old IBM "big" systems nagging because you had not changed your PW..............but I was very young then, and did not know what was driving it.
Those were the "enemy within" days of security :D
basically NT/2000
I normally one of two tools to check out the last time a password was changed for a user. the links to their home sites are below. The two tools are both comercial with the usual 30 days trial period.
hyena
dameware
As an aside the information is held in the sam so it should be easy enought to extract it with a script. If i find a tool to do this I wil let you know.
You can also use Retina as it does pick up when various accounts have had passwords changed. But wouldn't this show up in the event viewer? (or is this one of those things that has to be enabled?)
It would show up in the event viewer, but with multiple users and large audit logs. How far back would you go looking? It could take a couple hours to find it, unless someone knows a short cut or the exact code I need.
I am fairly sure that the basic audit options will only tell you when some one logs on or tries to log on. To have the information on changes made to an account like it being locked out or the password being changed you have to activate it. The link below is an artical from microsoft on the different events for users.
users account audits
The problem in my experiance with the event log is that it tends to be like looking for a needle in a hay stack to find any information. Especially if you are looking for something that was logged more than a couple of days before. Still it is possiable if you extract the log and import it into something like EXcel.
edit : If it is for proffessional use go with hyena. I personnaly find it to be the most versitile software of its type i have used.
can someone add a screen shot of an audit record relating to a password change?
You can always use filter in the Event Viewer to filter the exact event (Password Change) you want!
I do a majority of my work on a nix system, can anyone tell me the specific keyword I am using to find filter out a password change?