When a user object and password is restored into Active Directory using Active Administrator, the attribute 'pwdLastSet' continues to show the most current date that the password was last updated.
For instance: a deleted User object and password are restored from a backup made 90 days ago. However, when the attributes of the User object are opened in ADSI Edit, or Advanced View in Active Directory Users and Computers, the attribute that tracks when the password was last changed still shows the password as being rest in the last few days.
The password was indeed last changed on the current date indicated in the attribute in LDAP. The attribute 'pwdLastSet'in Active Directory is used globally for group policies in the domain. It is not connected to the actual date value when the restored password was created.
For instance, if domain password policy requires passwords to change every 90 days, if an object older than 90 days were restored, the password would already be 'expired' and the user would not be able to log in.
No action is required from the user. This is expected behavior.
It is important to know that, when the user object from X number of days ago is restored, the password from 90 days ago is also restored and will work.
The 'pwdLastSet' attribute will still trigger a password reset request on the correct number of days since the user last reset the password.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center