You don't need a tool, just do an LDAP query for pwdLastSet. I would use adfind as it will decode the timestamps, dump to a csv and massage in excel.
Something along the lines of - ADFIND -default -f "(&(objectCategory=person)(objectClass=user))" pwdLastSet -tdc -csv -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, June 15, 2010 4:30 PM To: NT System Admin Issues Subject: Re: Password policy enforcement after a change On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott <mailvor...@gmail.com> wrote: > ... from "No password expiration" to "X days" ... > ... 8-year-expired password before ... Thank you, everyone, for your informative and helpful responses! I think what I'll do is configure the password complexity requirements first, and then (as suggested) send broadcast email instructing people to change their password. They'll have to pick a strong password then. Things keep working in the meantime. Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to generate a report on password ages. With that, I can harass anyone who hasn't changed their password in a timely fashion. I found the ALOINFO tool while looking for the ACCTINFO.DLL. The later also looks to be very useful, but more for single-user investigations. Reporting would require GUI clicking on each user; not practical in even a 70 user organization. Thanks again! -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~