Find Active Directory Administrators with Old Passwords

In this tutorial, you will learn how to find administrator accounts that have a password older than 180 days.

This report will check the members of the following groups.

  • Administrators
  • Domain Admins
  • Enterprise Admins
  • Schema Admins

Step 1. Click on Reports -> Security

Step 2. Run the Admins with old Passwords Report.

The report will show you the user’s displayname, lastlogontimestamp, password last set date, state, and the group.

In the above example, you can see the user “Carl Holmes” is a member of the Enterprise Admins group, and the password has not been changed in over 180 days, the account has also never been logged on.

Recommendations:

  • Ensure privileged account passwords are changed regularly.
  • Run this report once a month to identify administrators with old passwords.
  • Accounts with old passwords are vulnerable to password spraying attacks. Audit Active Directory for these types of attacks.

The AD Pro Toolkit simplifies Active Directory management and saves hours of manual work. Download Free Trial.