Active Directory Password Expiration Notification

A recent discussion on the EduCause Small College Constituent list led me to offer up my vbScript-based script for notifying users of expiring passwords.   You can buy commercial tools that do basically the same thing for around $1200, but I took it as a challenge.  If you don’t have a more robust management/reporting tool for Active Directory (Like Quest Software’s ActiveRoles), this is a handy little script. 

Here’s what it does (in it’s current form):

  1. Queries your AD for accounts about to expire starting at 30 days from expiration.
  2. Starts sending e-mail to those users starting at 30 days, then at 20, 15, 12, 9, and 3 days, directing them to a link with instructions on how to change their password.
  3. Saves a report of all password ages to a directory you specify.
  4. On the 30th day of each month, sends a CSV report to the administrator containing all users whose password is older than 20 days past the defined password change interval.

Everything is highly customizable.

Requirements:

  1. You will need to run the script as an account that has permissions to query the necessary attributes.
  2. You will need to have the SMTP service installed on the server where the script is running.
  3. You should run the script as a scheduled task.

You can download the script from my Dropbox here.  Included in the ZIP is the script and the .bat I use to call it which uses the (also included) datetype.cmd script to cycle the name of the log file based on the date.  We run this on a system with almost 4000 active users.

Advertisements

~ by swendel on March 24, 2009.

17 Responses to “Active Directory Password Expiration Notification”

  1. […] Password Expiration Notification.” [Weblog fatal sync] 24 Mar 2009. Web.18 Apr 2009. <https://fatalsync.wordpress.com/2009/03/24/7/&gt;. Windows Domain Controllers: Risks […]

  2. Hi Great tip!! I have been runing this for about a year, but I have the problem that it will change the user ID in active directory but does not do anything for the local user so the cached credentials are still being used when they connect to sharepoint and internal drive mappings via the VPN. How can I manage my client computer’s to update/refresh the cached credentials created during login to the network.

  3. Amazing script! Thank you so much!!! 😀

  4. I have a strange issue. Not all users in AD are found.This happens to mostly new user accounts created within the last couple of years.

  5. How do you get it to filter users that do not have email accounts?

  6. Yes, i would like to know how to get it to filter out users with no mailbox.

  7. Talk about commercial product, there is one from Synergix called AD Client Extensions ( http://www.synergix.com ).

    No email notifications but a Windows tooltip message coming from a system tray icon when the user established VPN connection. It will also synch domain credentials with cached credentials. Plus, group policy updates, user login script execution, user drive mapping, duplicate dns records reconciliation …. most of these issue that are nightmares to deal with for admins supporting vpn connected users. And it has vpn disconnect script; nice you can clean up whatever you want to, when the user gets off a trusted network and ventures out on untrusted territories.

  8. Hai,

    It is identifying the users and ou correctly but not sending mail.
    Do I need to configure anything on local SMTP server

  9. how do i get the password expiry script to only search from a specific ou starting point?

  10. Web directory Annuaire de referencement des sites web…

    […]Active Directory Password Expiration Notification « Fatal Sync[…]…

  11. Forgot windows 8 password…

    […]Active Directory Password Expiration Notification « Fatal Sync[…]…

  12. rentabiliser vos liens…

    […]Active Directory Password Expiration Notification « Fatal Sync[…]…

  13. Hi, i have been having some trouble with the script. I have an account that can read the required attributes, and have set up SMTP on my server. when i run the script it runs without any errors and says it emails the user and makes the log, however it never actually sends the email to the user. any help would be amazing.

    Thanks!

    Thomas

  14. I know this site offers quality depending content and extra stuff, is there
    any other web site which gives these kinds of information in quality?

  15. I do trust all the ideas you’ve offered for your post. They are very convincing and can certainly work. Nonetheless, the posts are very quick for starters. May you please extend them a little from subsequent time? Thank you for the post.

  16. Can you make the file available again? I would love to get a look at it

    app

  17. The link to your Dropbox is dead. Do you still have the script somewhere, please?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: