Skip to main content

How to Get the Last Password Change Date for a User in Batch Script

Tracking when a user last changed their password is a fundamental task for IT auditing and security management. In many environments, password expiration policies are in place to force regular updates, and knowing the "Last Password Set" date allows administrators to identify accounts that are approaching their expiration or that haven't been updated in a dangerously long time. While this info is visible in the Active Directory or Local Users GUI, a Batch script can pull this timestamp in seconds using the net user command.

This guide explains how to extract and display this date programmatically.

Why Audit the Password Change Date?

  • Security Compliance: Ensuring that sensitive accounts (like Administrators) are following the mandatory 60 or 90-day password rotation cycle.
  • Help Desk Diagnosis: Explaining to a user why they are being prompted to change their password by showing them exactly when they last set it.
  • Legacy Account Detection: Identifying "Stale" local accounts that haven't had a password update in years, which could indicate the account is no longer in active use.
Local vs. Domain

The net user command targets the Local computer by default. If your users are part of an Active Directory domain, you must add the /domain flag to the command to get the centralized record.

Method 1: Using Net User (Quick Lookup)

The basic net user command displays a table of information. You can filter for just the password-related fields.

@echo off
setlocal

set /p "TARGET_USER=Enter username: "

if "%TARGET_USER%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving password metadata for "%TARGET_USER%"...
echo.

net user "%TARGET_USER%" 2>nul | findstr /i /c:"Password last set" /c:"Password expires"

if %errorlevel% neq 0 (
    echo [ERROR] User "%TARGET_USER%" was not found in the local database.
    echo [TIP] For domain accounts, use the /domain flag.
)
pause

Method 2: Extracting the Date into a Variable

To use this date in an automated report or a larger script, you can use a FOR loop to isolate the actual date string from the net user output.

@echo off
setlocal

set "USN=Administrator"

:: Verify the user exists
net user "%USN%" >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] User "%USN%" not found.
    pause
    exit /b 1
)

echo [PROCESS] Auditing account: %USN%

:: The "Password last set" line format is:
::   Password last set            1/15/2024 3:42:10 PM
:: "tokens=1,* delims=s" splits on 's' to isolate the value after "Password last set"
for /f "tokens=1,* delims=s" %%a in ('net user "%USN%" 2^>nul ^| findstr /c:"Password last set"') do (
    :: %%b contains "et            1/15/2024 3:42:10 PM" - trim the "et" prefix
    for /f "tokens=2,*" %%c in ("%%b") do set "LAST_SET=%%c %%d"
)

if defined LAST_SET (
    echo.
    echo [RESULT] Last password change: %LAST_SET%
) else (
    echo [ERROR] Could not parse the password date.
)

echo.
pause

Creating a Password Age Audit Tool

A professional script checks one or more accounts and provides structured output with alerts for concerning states.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Password Lifecycle Auditor
echo ============================================================

set /p "USN=Username to check: "

if "!USN!"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: 1. Verify the user exists
net user "!USN!" >nul 2>&1
if !errorlevel! neq 0 (
    echo [ERROR] User "!USN!" not found on this machine.
    echo [TIP] For domain accounts, try: net user "!USN!" /domain
    pause
    exit /b 1
)

:: 2. Extract key fields
echo.
echo [INFO] Account: !USN!
echo   -----------------------------------------

for /f "tokens=1,* delims=:" %%a in ('net user "!USN!" 2^>nul ^| findstr /i /c:"Password last set" /c:"Password expires" /c:"Account active"') do (
    :: Trim leading spaces from the value
    for /f "tokens=*" %%v in ("%%b") do echo   %%a: %%v
)

echo   -----------------------------------------

:: 3. Check for 'Never' in password date
net user "!USN!" 2>nul | findstr /i /c:"Password last set" | findstr /i /c:"Never" >nul
if !errorlevel! equ 0 (
    echo.
    echo [ALERT] This user has NEVER changed their password!
    echo [ACTION] Consider requiring a password change at next logon:
    echo         net user "!USN!" /logonpasswordchg:yes
)

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

While standard users can often check their own "Password last set" date, you must run as an Administrator to query the metadata of other local accounts or to query the domain database.

Regional Date Formats

The format of the date (e.g., MM/DD/YYYY vs DD/MM/YYYY) depends entirely on your system's "Regional Settings."

Wrong Way:

:: Trying to split the date by / to calculate the exact days remaining

Correct Way: Treat the date as an Opaque String (a label) for simple reporting. If you need to perform "Math" on the date (e.g., "Current Date - Last Set Date"), it is highly recommended to use PowerShell within your Batch script, as Batch cannot handle complex date arithmetic natively.

SEO and UX Tip

Advise your users that if "Password last set" says "Never," it means the account was created with a specific password that has never been rotated, which is a significant security risk for long-term accounts.

Best Practices for Password Management

  1. Check Expiration Date: Alongside the "Last Set" date, also query the "Password expires" field to see when the user will next be interrupted.
  2. Audit the Domain: If you are in a corporate office, always use net user %USERNAME% /domain to ensure you are seeing the latest data replicated across the network servers.
  3. Log to CSV: Use your script to loop through a list of usernames and save the results to a CSV file (e.g., echo %USN%,%LAST_SET% >> audit.csv) for a monthly security report.
User-Set vs. Admin-Set

Note that "Password last set" updates regardless of whether the User changed the password themselves or an Administrator reset it for them.

Conclusion

Getting the last password change date via Batch script is a critical competency for maintaining a professional and secure Windows infrastructure. By utilizing the net user command to programmatically extract these timestamps, you can ensure that your organization's authentication cycle is healthy and that users are adhering to modern security standards. This automated approach to account auditing reduces manual overhead, simplifies security compliance reports, and provides a clear, documented path for your user management and identity protection strategies across the entire Windows ecosystem.

Table of Contents