First published on TechNet on May 04, 2015
Hi there! Mike Kullish, here. I'm a PFE based out of Minneapolis, MN with a focus on AD, Hyper-V and DFS but I try to help customers with anything on the Windows Desktop and/or Server platforms. I have been with Microsoft for nearly three years and this is my first blog post.
Have you ever had a need to configure notifications for user's password expirations but found that existing solutions didn't quite fit the bill? We all know you can use built-in solutions with Windows and Active Directory/Group Policy but this requires users to interactively log-on to a network-based computer. What about those BYOD or mobile users or users of web apps/email? More often than not, these users will have to call the helpdesk because they had no idea their domain passwords were going to expire. Statistics show that some of the most common calls to the helpdesk are password-related and implementing a process like the one covered here could really make a dent in your helpdesk call volume and costs.
Recently, a customer asked for some help implementing a solution for this issue based on a script they'd found on the Microsoft TechNet Script Center. The script queries the pwdLastSet attribute of user accounts in AD and the MaxPwdAge property within the domain, then does some time computations and sends an email to those users who are near a password expiration 'event.'
I thought it would make a helpful blog post to cover some of the details and considerations when implementing a solution like this. The particular script my customer found was the work of Microsoft MVP Robert Pearman and he deserves the Kudos for initially putting it together, as well as several refinements to it (including support for Fine Grained Password Policies).
You can download the script from the following link . ( https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27 )
Click on the blue box and save the file to a workstation or member server. Obviously, a DC would work but likely isn't the best choice. The workstation or member server needs the RSAT tools for Active Directory installed. If you already have an "admin server" system where you have existing scripts, tools, Scheduled Tasks, etc., that would be a logical place for this.
Once you have downloaded the script:
From: email@example.com [mailto:firstname.lastname@example.org]
Sent: Thursday, March 23, 2015 12:52 PM
Subject: Your Windows password will expire in 4 days.
Your corporate network password will expire in 4 days.
To change your password on a PC press CTRL-ALT-Delete and chose "Change Password."
Now, at some pre-determined time, you or one of your staff can execute the script to generate the 'password expiry notification email' to the affected users.
For those who don't want to manually run the script, it's a simple process to create a Scheduled Task to run the script automatically.
There are numerous other ways to address this need; I have talked to many people who have developed their own processes, scripts and/or code for this. This particular process was pretty easy to implement and I was able to work with my customer to get the whole thing working in a short amount of time.
Thanks to Hilde and all the other PFE bloggers here for helping me "dip a toe" in the blog-pond (or pool?) and a special thanks to Microsoft MVP Robert Pearman who provided some insight and details around his script.
See you all next time!
Mike "CANNONBALL!" Kullish
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.