Automate password change notification through email – How to??
Have you ever wondered how users can be informed that their Login password will expire soon and hence, warn them to change the same immediately? The advance warning will provide users with sufficient time to act.. Read along !!! Windows has an in-built mechanism to notify a user that their password will expire soon.
By default, Windows will notify the user 14days before the password expires informing them to change the same. The default value will take effect only if no other value has been configured as Group Policy in Active Directory. This can be checked by following the steps below:
- Click on Start-> Run-> gpedit.msc to open Group Policy Object Editor window
- Expand Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options
3. On the right hand side of the screen, you can see the Policy named as:
Interactive Logon: Prompt user to change password before expiration
4. The default value will be set to 14 days and the same can be modified by going to the Properties o0f this policy as indicated belowThe Tab “Explain this setting” will have details indicated below:
5. The Tab “Explain this setting” will have details indicated below:
6. Once the policy is applied successfully, the following prompt appears when a user logs on to the machine:
7. You could also have a GPO for a particular set of client computers to notify users that logon to those computers 10 days before their password expires and another GPO for another set of client computers to notify users that logon to those computers 20 days before their password expires.
8. However, this setting only applies to interactive logons at Active Directory clients like workstations, servers and Domain Controllers. It does not apply to other type of logons.
9. There may be different scenarios wherein a user with his/her account in Domain A is working for Domain B. Let us suppose that the user uses his own computer that is not a member of Domain A.
In this case, you can configure Outlook Web Access to receive emails notifying the user that his/her our password will expire soon. However, this is not present in AD by default.
10. One way to create the same is by running the tool ‘ADPwdExpNotify.exe’ which uses an INI file ‘ADPwdExpNotify.ini’ that should be first run in the environment before running the tool.
Environment Information must be provided such as AD domain name, FQDN DC, FQDN mail server, etc.
11. The script can also be configured to log actions to a log file and create a CSV for the accounts for which a notification has been generated.
12. Another interesting feature of this tool is that it is possible to run the tool in either a TEST mode or Production (PROD) mode.
Test Mode: Only 1 recipient will receive all notifications by e-mail for all users for which the script determines that a notification must be generated.
PROD mode: In this mode, each recipient will receive a notification by e-mail.
You must have an account with a mailbox in the Active Directory that is accepted as a sender to send the mail. The account can be a normal account with no special permissions.
13. If any issue occurs in between, an event is written to the System Event Log. However, the account requires permissions to write to the event logs.
Team @ MSEXchangeGuru