diff --git a/phpgwapi/inc/class.accounts_ldap.inc.php b/phpgwapi/inc/class.accounts_ldap.inc.php
index 0897db9ae9..0d9f1599ea 100644
--- a/phpgwapi/inc/class.accounts_ldap.inc.php
+++ b/phpgwapi/inc/class.accounts_ldap.inc.php
@@ -488,7 +488,7 @@ class accounts_ldap
 			// shadowexpire is in days since 1970/01/01 (equivalent to a timestamp (int UTC!) / (24*60*60)
 			'account_status'    => isset($data['shadowexpire']) && $data['shadowexpire'][0]*24*3600+$utc_diff < time() ? false : 'A',
 			'account_expires'   => isset($data['shadowexpire']) && $data['shadowexpire'][0] ? $data['shadowexpire'][0]*24*3600+$utc_diff : -1, // LDAP date is in UTC
-			'account_lastpasswd_change' => isset($data['shadowlastchange']) ? $data['shadowlastchange'][0]*24*3600 : null,
+			'account_lastpasswd_change' => isset($data['shadowlastchange']) ? $data['shadowlastchange'][0]*24*3600+$utc_diff : null,
 			// lastlogin and lastlogin from are not availible via the shadowAccount object class
 			// 'account_lastlogin' => $data['phpgwaccountlastlogin'][0],
 			// 'account_lastloginfrom' => $data['phpgwaccountlastloginfrom'][0],
@@ -548,6 +548,7 @@ class accounts_ldap
 		}
 		$to_write['cn']        = $data['account_fullname'] ? $data['account_fullname'] : $data['account_firstname'].' '.$data['account_lastname'];
 
+		$utc_diff = date('Z');
 		if (isset($data['account_passwd']) && $data['account_passwd'])
 		{
 			if (!preg_match('/^\\{[a-z5]{3,5}\\}.+/i',$data['account_passwd']))	// if it's not already entcrypted, do so now
@@ -555,13 +556,13 @@ class accounts_ldap
 				$data['account_passwd'] = auth::encrypt_ldap($data['account_passwd']);
 			}
 			$to_write['userpassword'] = $data['account_passwd'];
+			$to_write['shadowLastChange'] = (time()-$utc_diff) / (24*3600);
 		}
 		// both status and expires are encoded in the single shadowexpire value in LDAP
 		// - if it's unset an account is enabled AND does never expire
 		// - if it's set to 0, the account is disabled
 		// - if it's set to > 0, it will or already has expired --> acount is active if it not yet expired
 		// shadowexpire is in days since 1970/01/01 (equivalent to a timestamp (int UTC!) / (24*60*60)
-		$utc_diff = date('Z');
 		$shadowexpire = ($data['account_expires']-$utc_diff) / (24*3600);
 		$account_expire = $shadowexpire*3600*24+$utc_diff;
 		//echo "<p align=right>account_expires=".date('Y-m-d H:i',$data['account_expires'])." --> $shadowexpire --> ".date('Y-m-d H:i',$account_expire)."</p>\n";
@@ -714,7 +715,7 @@ class accounts_ldap
 				$relevantAccounts = is_numeric($start) ? array_slice(array_keys($fullSet), $start, $offset) : array_keys($fullSet);
 				// if we do not have a start, or want the members of a certain group, we want all, that way we dont want to or the uids
 				// since if we have a whole lot of members, it slows the query down
-				// if you work with very big groups, it may present a problem 
+				// if you work with very big groups, it may present a problem
 				if (is_numeric($start) || is_numeric($param['type'])) {
 					$filter = "(" . "&(objectclass=posixaccount)" . '(|(uid='.implode(')(uid=',$relevantAccounts).'))' . $this->account_filter . ")";
 				} else {
diff --git a/phpgwapi/inc/class.accounts_sql.inc.php b/phpgwapi/inc/class.accounts_sql.inc.php
index 5f506346e3..ac8ccadfe5 100644
--- a/phpgwapi/inc/class.accounts_sql.inc.php
+++ b/phpgwapi/inc/class.accounts_sql.inc.php
@@ -167,6 +167,7 @@ class accounts_sql
 				$data['account_passwd'] = $GLOBALS['egw']->auth->encrypt_sql($data['account_passwd']);
 			}
 			$to_write['account_pwd'] = $data['account_passwd'];
+			$to_write['account_lastpwd_change'] = time();
 		}
 		if (!(int)$data['account_id'] || !$this->id2name($data['account_id']))
 		{
diff --git a/phpgwapi/inc/class.auth_ldap.inc.php b/phpgwapi/inc/class.auth_ldap.inc.php
index cc02c0b33c..70410fa2bd 100644
--- a/phpgwapi/inc/class.auth_ldap.inc.php
+++ b/phpgwapi/inc/class.auth_ldap.inc.php
@@ -1,10 +1,10 @@
 <?php
 /**
  * eGroupWare API - LDAP Authentication
- * 
+ *
  * @link http://www.egroupware.org
  * @author Lars Kneschke <lkneschke@linux-at-work.de>
- * @author Joseph Engo <jengo@phpgroupware.org> 
+ * @author Joseph Engo <jengo@phpgroupware.org>
  * Copyright (C) 2000, 2001 Joseph Engo
  * Copyright (C) 2002, 2003 Lars Kneschke
   * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
@@ -107,9 +107,9 @@ class auth_
 	/**
 	 * changes password in LDAP
 	 *
-	 * If $old_passwd is given, the password change is done binded as user and NOT with the 
+	 * If $old_passwd is given, the password change is done binded as user and NOT with the
 	 * "root" dn given in the configurations.
-	 * 
+	 *
 	 * @param string $old_passwd must be cleartext or empty to not to be checked
 	 * @param string $new_passwd must be cleartext
 	 * @param int $account_id account id of user whose passwd should be changed
@@ -134,8 +134,10 @@ class auth_
 		$ds = $GLOBALS['egw']->common->ldapConnect();
 		$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
 		$allValues = ldap_get_entries($ds, $sri);
-		
+
 		$entry['userpassword'] = auth::encrypt_password($new_passwd);
+		$entry['shadowLastChange'] = (time()-date('Z')) / (24*3600);
+
 		$dn = $allValues[0]['dn'];
 
 		if($old_passwd)	// if old password given (not called by admin) --> bind as that user to change the pw