Timestamps in Active Directory properties

Many AD properties that contain timestamps are in the FILETIME format, not epoch. Convert with:

PS H:\> $x = (Get-Date).ToFileTime() # method
PS H:\> $x
PS H:\> [DateTime]::FromFileTime($x) # function
17 January, 2023 09:25:00


PowerShell ADUser objects have the LastLogonDate property, which is LDAP lastLogonTimestamp converted to a local DateTime. lastLogonTimestamp (and as such LastLogonDate) are only updated when the previous authentication request occurred longer ago than the value for the attribute msDS-LogonTimeSyncInterval (default 14 days). LDAP lastLogon is updated immediately but only on the domain controller used to log in with—it is not replicated.

Similar to the above badPasswordTime has the converted value LastBadPasswordAttempt and badPwdCount has BadLogonCount. Neither are replicated.

pwdLastSet has PasswordLastSet. It is replicated. A value of 0 and with userAccountControl not containing flag UF_DONT_EXPIRE_PASSWORD means the password is expired and must be set at next logon.

See also


Left-click: follow link, Right-click: select node, Scroll: zoom