Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-07-20) Notifying Users By E-mail Their Password Is Going To Expire

Posted by Jorge on 2008-07-20


Windows by default has a mechanism to notify a user when the password is going to expire. By default Windows will start notifying the user 14 days before the password really expires and must be changed. The default value is affective when no other value has been configured in some GPO in AD. If you want to configure a value in a GPO, you can do so using the GPO setting as shown in the picture below. Or go to this link. The GPO that can be used is any GPO (it does not need to be the Default Domain GPO or the Default Domain Controllers GPO) targeted at a set of AD clients that should honor that specific setting. In other words, you could have a GPO targeting client computers in EMEA to notify users that logon to those computers 10 days before their password expires and another GPO targeting client computers in APAC to notify users that logon to those computers 20 days before their password expires.

image

So when the user logs on to the client computer the following notification is shown like in the picture below.

image

However, this setting only applies to interactive logons or TS logons at AD clients (workstations, servers, DCs). It does not apply to other type of logons. In addition, OWA may notify you when using it that your password will expire. However, there exist tons of other reasons and scenarios for which it is interesting to notify a user the password is going to expire. One of the scenarios is a consultant working for a client. The consultant uses his own computer that is not a member of the AD of the client. The consultant however does have a user account in the AD of the client (which is also mailbox-enabled) and from time to time the password must be changed according to the password policy. So, how are you going to notify that user to change its password without the password suddenly expiring? One way is to use a mechanism that e-mails the user with instructions. However that mechanism does not exist by default in AD. You either need to buy something or create something yourself. Another way is to use the tool/script that I provide in this post as an attachment.

The tool ‘ADPwdExpNotify.exe’ uses an INI file ‘ADPwdExpNotify.ini’ that needs to be configured prior to the usage of the tool in your environment. Environment specific information must be provided like AD domain name, FQDN DC, FQDN mail server, etc. In addition you can configure the script to log actions to a log file and create a CSV for the accounts for which a notification is generated. An interesting feature is that it is possible to configure the tool to either run in TEST mode or PROD mode. In TEST mode, 1 recipient will receive all notifications by e-mail for all users for which the script determined a notification must be generated. In PROD mode, EACH recipient will receive a notification by e-mail. This way you can test the tool for an amount of time you feel that is required to test the tool. After that you just change the MODE from TEST to PROD in the INI file and the users will start to get their notifications by e-mail if their password is about the expire (taking the notification period into account that has been configured in the INI file).

You need to have an account in AD that is mailbox-enabled to that it is accepted as a sender. My suggestion would be to execute the tool using a scheduled task. For the credentials you can use a normal user account without ANY special permissions. However, if something goes wrong an event is written to the System Event Log and for that the account must have permissions to write to the System Event Log. If you use some monitoring tool you could monitor for these events to see if the tool is working as it should.

Below you see the output to a log file and to the screen when logging has been enabled in the INI file

image

image

Below you see the creation of a CSV file when it has been enabled in the INI file

Below you see an example of the e-mail notification a user will get. It can then use CTRL+ALT+DEL to change the password in the AD domain or leverage the password change screen in OWA. The INI file contains examples links for the OWA Password Change URL in E2K3 and E2K7.

image

Disclaimer for using this tool/script:

  • The tool/script is freeware.
  • This tool/script is furnished "AS IS". No warranty is expressed or implied!
  • Always test first in lab environment to see if it meets your needs!
  • Don’t expect in getting support for this tool. If I have time I will see what I can do, otherwise you are out of luck.
  • Use this tool/script at your own risk!
  • I have tested this tool/script for W2K3 AD and W2K8 AD, but I have not tested it for ALL possible scenarios and configurations. So, make sure to test it FIRST in a test environment before going to production!
  • I do not warrant this tool/script to be fit for any purpose, use or environment
  • I do not guarantee the tool/script does not have bugs
  • I do not guarantee the tool/script will not damage or destroy your system(s), environment or whatever.
  • I do not accept liability in any way if you screw up, use the tool/script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script and delete it immediately!

Get the tool from HERE

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

26 Responses to “(2008-07-20) Notifying Users By E-mail Their Password Is Going To Expire”

  1. tomek said

    Great work Jorge … I think some people will find this script very handy🙂

  2. This is the excelent tool, thanks for that.
    But… I have a question, why you didn’t leave a mail as configurable external file? I have users which don’t know their own language not to mention english
    Thanks once again

  3. Jorge said

    Yeah, you are right. The text for the mail should be outside the tool to be able to customize it. This is the very first version of it. If I have more time I might change it. At this moment I’m packed with other things. Sorry.

  4. Great work Jorge ! This is extremely useful and timely.
    Would you mind publishing source code as well ? I’m going to deploy it in my production, but need to customize email notification.

  5. Dear Jorge,

    I need a simple modification please help. I want to change the end note “Your Network Administrator” to some other note. Please help me on this urgently since I want to make this live when this is changed.

  6. Dear Jorge,

    I need a simple modification please help. I want to change the end note “Your Network Administrator” to some other note. Please help me on this urgently since I want to make this live when this is changed. mail me on azeem.patel@gmail.com

  7. Jorge said

    Thanks for using this tool. In the future I will see if I can find time to make it possible to change the mail text. Unfortunately at this moment I have other priorities that I need to/must take care of.

  8. Cool util. In my organisation, we create user accounts for temporary staff with pre-defined expiry date. Could this utility be modified to send an email to the users with accounts due to expire. This would suggest they ask their managers to request an extension. Andy.

  9. This is awesome, just wanted to inquire if we can modify the mail text at this point. Tested this in a test environment and it works great, we need to go live and need to change the email notification. Thank you

  10. Have there been any progress in creating a version with a custom email message?

  11. It no worky. I get the CSV file but no emails are sent. I’ve checked the authentication and everything appears to be correct.

    Jorge… why not release the source? It’s obvious you’re busy with other things.

  12. Steve123 said

    This is very helpful, but for anyone looking for something even simpler, I recommend NetWrix Corporation’s free Password Expiration Notifier. I’m a product manager at NetWrix, and the tool does exactly what everyone here seems to be looking for. It sends out automated reports to all users with passwords set to expire in a certain amount of days, reminding them that it’s time to make the switch.

    Stephen Schimmel
    NetWrix Corporation
    http://www.netwrix.com/password_expiration_notifier_freeware.html

  13. Had tried the script, it is very good but am not able to receive email notification. Am using exchange 2007.
    Thanks in Advance

  14. […] Below, I will explain the logic of what the script should do according to my opinion. A free unsupported tool that can do just the mailing part can be found here. […]

  15. Konos said

    +1 on not being able to get mail out. Even added my PC (where I’m testing from) to the to Exchange relay thinking that might be the problem.

    Running 2008 R2
    Exchange 2003

    Too bad as its a very simple tool to configure/use otherwise.

  16. dhel said

    will this work in AD 2k3 and exchange 2010?

    • dhel said

      unfortunately, i couldn’t make it work. Pleas please help. Im using AD 2k3 and Exchange 2010. Can this script support this system?

  17. ray said

    this works great — thanks!!

    is there a way we can edit the outgoing email? our policy is to not have users click links in emails, especially to go change a password so we would like to edit that part (and some of the other info)

    cheers —

    //ray

    • Henry Sam said

      Hi Ray,

      Would you please post example for SMTP setting?
      I can get CSV but cannot get notify email.

      Thanks in advance.

      Henry

  18. Anyone else able to get this working on Exchange 2010? Like the others who commented I get the csv but no emails are sent.

  19. […] through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more […]

  20. […] through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more […]

  21. […] through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more […]

  22. […] through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more […]

  23. […] through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: