How to Notify Users of Password Expiration via Email

Featured blog by Satyendra Tiwari, associated with Lepide Software as IT and marketing manager

If you have users working from home on a laptop or mobile device, it would be useful for them to know whether their password was about to expire. Although Windows doesn’t push alerts through to mobile devices you can configure Outlook Web Access so that users receive an email notification a defined period of time before the password expires.

To enable this, a script has been provided on the Microsoft TechNet website. This script will use the ‘pwdLastSet’ value of the accounts in Active Directory and ‘MaxPwdAge’ property of the domain, and then will calculate when to send the reminder emails. The link for the script has been provided below:

https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27

Before you run this script in your Active Directory environment, please read and re-read the disclaimer provided at the bottom of the page. The script has to be downloaded and run from a DC, or more preferably from a member server. It will send emails to users when their password is about to be expired in a given number of days. Let’s have a look at the variables mentioned in the script:

In the $smtpServer make sure you provide the correct SMTP server name for the server you are using to send emails.

The $expireindays variable takes the value of the number of days before which the notification email will be send to users.

The $from variable controls which email ID will be used in the ‘From’ field of the notification email. As all the users will see this ID in the ‘From’ field, take due considerations before providing this value.

The $logging variable will let you specify whether these activities should be logged/recorded or not. If the logging is enabled you will be able to trace and investigate any errors that may occur.

If logging is enabled, in the $logFile should be used to specify the location of the log file. it is advisable to keep it in the local system.

The $testRecipient variable can be used to see what the email will look like before using it.

Before you fully run the script, it is highly recommended to run a test send with a few users. This way you can make sure that the variables you have input are correct.

If you want to make any change in the body/text of the email, you can do so under the $body section of the script. Similarly, you can change any other variable to meet your requirement. After the script has been tested and fits your requirements, you can set, $testing = “Disabled”.

Note that running the script will generate emails only once. If you want to give multiple reminders you will have to schedule the script to run automatically at specified dates and times.

Conclusion

Making sure that your users are updating their passwords regularly is an important part of any security plan when it comes to tackling insider threats. The script mentioned in this blog is not the only way to remind users that their passwords are due to expire – other scripts are available to run manually as well.Another method you can use is by deploying a third-party solution, like Lepide User Password Expiration Reminder, that automatically notifies users at appropriate times that their passwords are soon to expire.

About Author- Satyendra Tiwari is associated with Lepide Software as IT and marketing manager.