MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Automate password change notification through email – How to??

Have you ever wondered how users can be informed that their Login password will expire soon and hence, warn them to change the same immediately? The advance warning will provide users with sufficient time to act.. Read along !!! Windows has an in-built mechanism to notify a user that their password will expire soon.

By default, Windows will notify the user 14days before the password expires informing them to change the same. The default value will take effect only if no other value has been configured as Group Policy in Active Directory. This can be checked by following the steps below:  

  1. Click on Start-> Run-> gpedit.msc to open Group Policy Object Editor window
  2. Expand Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options

3. On the right hand side of the screen, you can see the Policy named as:

Interactive Logon: Prompt user to change password before expiration

 

4. The default value will be set to 14 days and the same can be modified by going to the Properties o0f this policy as indicated belowThe Tab “Explain this setting” will have details indicated below:

5. The Tab “Explain this setting” will have details indicated below:

6. Once the policy is applied successfully, the following prompt appears when a user logs on to the machine:

7. You could also have a GPO for a particular set of client computers to notify users that logon to those computers 10 days before their password expires and another GPO for another set of client computers to notify users that logon to those computers 20 days before their password expires.

8. However, this setting only applies to interactive logons at Active Directory clients like workstations, servers and Domain Controllers. It does not apply to other type of logons.

9. There may be different scenarios wherein a user with his/her account in Domain A is working for Domain B. Let us suppose that the user uses his own computer that is not a member of Domain A.

In this case, you can configure Outlook Web Access to receive emails notifying the user that his/her our password will expire soon. However, this is not present in AD by default.

10. One way to create the same is by running the tool ‘ADPwdExpNotify.exe’ which uses an INI file ‘ADPwdExpNotify.ini’ that should be first run in the environment before running the tool.

Environment Information must be provided such as AD domain name, FQDN DC, FQDN mail server, etc.

11. The script can also be configured to log actions to a log file and create a CSV for the accounts for which a notification has been generated.

12. Another interesting feature of this tool is that it is possible to run the tool in either a TEST mode or Production (PROD) mode.

Test Mode: Only 1 recipient will receive all notifications by e-mail for all users for which the script determines that a notification must be generated.

PROD mode: In this mode, each recipient will receive a notification by e-mail.

You must have an account with a mailbox in the Active Directory that is accepted as a sender to send the mail. The account can be a normal account with no special permissions.

13. If any issue occurs in between, an event is written to the System Event Log. However, the account requires permissions to write to the event logs.


Meera Nair
Team @ MSEXchangeGuru

22 Responses to “Automate password change notification through email – How to??”

  1. Travis Says:

    Thank you for the post. I tried this and got thru with no errors.
    Travis

  2. Muthu Says:

    Thanks It is working fine and generates CSV file, But It is not sending mails,
    Is there any way to debug and see.Can you please help us.

  3. sanjeev Says:

    Wow this is great , i did not know that it can be done like this.

  4. tburton Says:

    I tried different combinations of sending the email. I can’t any of them to work with “TEST”. I haven’t tried sending any on “PROD”. Is this a common issue?

  5. Chris Says:

    Take a look at this tool from NetWrix. It can help with password expirations and it also comes in a freeware edition. Follow the link here for a free trial>>> http://www.netwrix.com/password_expiration_notifier_freeware.html

  6. rlk Says:

    The OU I am starting a search in is causing me problems because the space character I believe. Any ideas how to make it work? (example, cSearchBaseDN=OU=Something Sites,DC=DOMAIN,DC=LOCAL)

    The Error line changes what was detected with different weird characters depending on if I use double or single quotes.

    C:\ADPwdExpNotify>adpwdexpnotify
    10/17/2011 — 10:33:41 AM -> ERROR: Invalid argument detected! –> ☺’v╕2[
    10/17/2011 — 10:33:41 AM -> Aborting script…
    10/17/2011 — 10:33:41 AM -> Showing usage…

  7. rlk Says:

    I’m an idiot. I was running it incorrectly.

  8. Amaan Says:

    i downloaded the tool, please somebody tell me the procedure to do!!! i click on exe file there is nothing happend, its run immediately disppear, should i run this tool on DC or any other computer, and please help me to edit the ini file.. please please.. i really need to do in our environment.

    thanks in advance.

  9. Vince Says:

    Script fails to ping DC server. Can ping DC direct from CDM.
    No firewall on DC server. Any ideas?

    Ok, forget it. Can’t have spaces after the = sign. Must be: cFQDNdc=192.168.1.25, not cFQDNdc= 192.168.1.25

  10. KrishnaChaitanya Ch Says:

    I have same issue a Muthu. Scripts runs without any errors and generates CSV file, but does not send any mails. I am running this on a Windows 2008 R2 machine in a Windows 2008 R2 Domain

  11. crizz Says:

    Muthu, KrishnaChaitanya, I have the same problem as you. Did you ever get this working?

    thanks

  12. darlene Says:

    Sign in error update password. Notification
    A email email deleteed help

  13. Perry Says:

    I’ve just forwarded this onto a co-worker who had been conducting a little homework on this.

  14. Klaus Says:

    Hi
    Does this Work on MS Server 2012 ?

    Regards, Klaus

  15. Ong-ard Says:

    On same the file and configuration, it working as well on other machine (win xp but win7 and win 2008 svr) can’t send email to users.

  16. Ong-ard Says:

    Sorry!

    On same the file and configuration, it working as well on win xp but other machine (win7 and win 2008 svr) can’t send email to users.

  17. Larry D. Says:

    I cannot find the tool: ADPwdExpNotify.exe. Does anyone know where to download it?

  18. Danny C Says:

    Microsoft has a script that runs on the server and is programmable to send password expiry notice via email:
    https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27#content

    Good luck,

    Danny

  19. Nur Islam Says:

    Thanks a lot. Helpful !!!!

  20. SAFWAT RAHMAN Says:

    I am using Netwrix password notifier so users are now getting email from the system automatically before their password expiration.

    But problem is that when users try to change their password before expire (for example, there are 5 days left to expire), they are not able to change their password during login time. would you please give me some idea ?

    Thanks in advance

  21. Prabhat Nigam Says:

    They should be able to change the password from OWA or local domain joined computer.

  22. Atul Says:

    will this script fetch users from FGPP and send notification email or this script is meant for Default Domain level policy

Leave a Reply

ad

Categories

Archives