Reset an AD Users Password Expiry Date

KB ID 0001272


I was setting up a Cisco ASA this week and needed to enable the ability for users to reset their domain passwords when they are about to expire. To actually test that, I needed a test user that had their password either about to expire, or actually expired. As I dint want to wait 42 days, or setup a password policy just for one user, I needed to find a ‘quick and dirty’ fix for one user.


You need to open Active Directory Users and Computers, and you need to have ‘Advanced options’ enabled. Locate your user and open their properties > Attribute Editor > Attributes > pwdLastSet.

Change AD User Password Expiry

If you want to set it to expired, then set its value to Zero.

Edit pwdLastSet

It should change to <never>, which is not strictly true, it actually changes to 12:00AM January 1st 1601.

Set password to Expired

Note: If you set its value to -1 and apply the change it resets the attribute to the current day and time (you may need to close and reopen the property dialog to see the change).

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Does there any powershell script exist to do this, or an easy tool which we could give to low level admins?

    Post a Reply
    • I’ve not done it. but experiment with GET-ADUser -Identity {username} -PasswordLastSet and Set-ADUser


      Post a Reply
      • $User = Get-ADUser username -properties pwdlastset
        $User.pwdlastset = 0
        Set-ADUser -Instance $User
        $user.pwdlastset = -1
        Set-ADUser -instance $User

        Post a Reply
        • Thank you, that worked as a charm!

          Post a Reply
        • + there is:

          $User = “YourSAMAccount”
          Set-ADUser -Identity $User -Replace @{pwdlastset=”0″}
          Set-ADUser -Identity $User -Replace @{pwdlastset=”-1″}

          Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *