Show Accounts Whose Passwords Changed in Last 7 Days

This script helps you audit or identify accounts that have recently changed their password.

It is recommended that you run this on a domain controller or system that has RSAT tools installed, in an Administrative PowerShell session. You can also make this a scheduled task.

Copy and paste the below script into your favorite text editor and save as audit_passchanges.ps1. By default, the script checks for accounts whose passwords changed in the last 7 days. You can modify this date range where it’s noted in the script.

The script will save results of accounts that meet the search criteria into a CSV named mod_pass_<date run>.csv to the location where the script is located.

# -----------------------------------------------------------------
# Password Last Changed Audit
# Created by: Christopher Clai - www.syntaxbearror.io
# -----------------------------------------------------------------
# Version 1.0 (August 5th, 2019)
# -----------------------------------------------------------------
#
# Example of running the script:
# .\audit_passchanges.ps1 
#
#
# ##### CHANGELOG ########
# Version 1.0
# 
#
#

Import-Module ActiveDirectory

# Alter the negative number to how many days back you want to go.
$range = ((Get-Date).AddDays(-7)).Date

# -----
# DO NOT EDIT ANYTHING BELOW THIS LINE
# -----

$fnmod = Get-Date -Format "yyyymmdd"
$fname = "mod_pass_" + $fnmod + ".csv"

Get-ADUser -Filter {PasswordLastSet -ge $range} -Properties PasswordLastSet | Export-CSV $fname -NoTypeInformation