Active Directory password expiry notifier

As a systems administrator you recognize this problem: Some users are unaware that their password will expire soon, because they received no notification thereof. This typically happens to users who rarely logs out of their workstation, for instance VPN users. The user will be annoyed that there will be a working pause, once the expiration occurs and will consume time at the IT department to unlock the account. This problem could have been avoided, if the user had received an email notifying of the expiration. The content of this page is available as a video tutorial at the bottom of this page.

The script presented here to solve this problem is a custom application. A custom application is a script that is compiled into an exe file. Please refer to this page for more information on custom applications. The compilation from a script to an application is not a must; the script can be used without compilation.

This custom application will send an email notification to users that will have password expiration within the next configurable number of days. An email will be sent once a day until user changes password or the password expires.

Password expiry notifier

Why a custom application

The problem with commercial software to perform that same task is that there will be limitations to the level of customization. Building an application yourself based on your own script on the other hand, does not impose any limitations, as you can script any customization you might have in your organization the same way as when you are doing programming.

The example script below will send out an email to users who have password expiration in the near future. You could add valuable features to the script that applies to your company only, which could be:
  • You only want to send a notification to a subset of users. The example script below looks at all users. To have it look at users only in a specific Organizational Unit, the collection AllUsers could simply be replaced by the UsersInOU collection. You could build additional logic to further filter the users to be notified, for instance based on other Active Directory attributes.
  • You have a gateway to send an SMS to the end user's cellular phone and phone numbers are available in the Active Directory phone number attribute. In this case you could copy the custom command in the example and make a copy to send an SMS through the SMS gateway.
  • When the password expiration gets below a certain threshold, for instance 2 days, you would like the to get an email yourself and/or have one sent to the Help Desk to proactively contact the user. This feature can be added by adding another UserPasswordExpiresSoon condition and email notification.
  • You have populated a specific Active Directory attribute with the private email address of some users. If this attribute is not already mapped to a FastTrack function, the attribute name can be looked up in the "Attribute editor" tab of the user, which again can be fed to the UserCustomProperty function to get the actual value. Then an additional mail could be sent to this secondary email address.

If your company has problems with users that have prematurely expired accounts, the script presented here can easily be modified to send a reminder email to them that their account will expire soon. It would basically just require to replace the UserMustChangePasswordSoon condition with a UserExpiresSoon and then re-write the email body text. If the current body text is used as a template, the UserPasswordExpiryDate function must also be replaced with the UserPasswordDate function.

The script

The script listed is available directly in the script editor. Go to the "Documentation" tab, select "Password Expiry Notifier" under the "Insert Example Script" submenu.

''==== UNCOMMENT IF NOT USING A SCHEDULED TASK (WAIT FOR SPECIFIC TIME) ====

''SleepUntil 08:00

 

''==== SETTINGS ====

Set ExpWarnDays=7

Set TestMode=true

 

''==== FIND NON-EXPIRED USERS WITH PENDING PASSWORD CHANGE ====

ForEach User in [AllUsers]

  If UserEnabled [Var User] Then

    If UserMustChangePasswordSoon [Var ExpWarnDays],[Var User] Then

      Set EMail=[UserEMailAddress [Var User]]

      If Not VarIsEmpty EMail Then SendNotificationMail [Var Email]

    End If

  End If

End ForEach

 

''==== UNCOMMENT IF NOT USING A SCHEDULED TASK (RESTART) ====

''Restart

 

''==== EXEC EMAIL SEND ====

Command SendNotificationMail(Recipient)

 

  ''==== SET SMTP STATIC INFORMATION ====

  Set SmtpPort=25

  Set SmtpServer=mail.acme.com

  Set SmtpSender=no-reply@acme.com

  Set SmtpUsername=no-reply@acme.com

  Set SmtpPassword=[EncryptPassword MyPass] ''Preferably encrypt the password in the editor instead

  Set SmtpSenderName="Acme Corp"

  Set EMailHeader="Password expiry notification"

 

  ''==== SET MAIL BODY ====

  Set Body = "Dear [UserFullName [Var User]].[Return][Return]_

              Your logon password will expire on [UserPasswordExpiryDate [Var User]].[Return][Return]_

              If your are connecting through VPN, you may encounter problems connecting to the network, _

              If you have not logged on to the network and changed your password at this date at the lastest.[Return][Return]_

              You will receive a daily notification until you have changed your password."

 

  ''==== SEND EMAIL OR SHOW MAILBODY IN TEST MODE ====

  If [Var TestMode]=True Then

    ShowMessage [Var Body]

  Else

    SendMailPlain [Var SmtpServer],[Var SmtpPort],[Var SmtpSender],[Var SmtpSenderName],[Param Recipient],_

[Var EMailHeader],[Var Body],[Var SmtpUserName],[Var SmtpPassword]

  End If

End Command

Setting the variable "TestMode" to "True" means that the body of the email will simply be prompted out during execution instead of sending it as an email. This allows you to test how many users it will detect. If you have many users, the ShowMessage prompt could be replaced by an AppendFile command, to log who would have received an email.

The "ExpWarnDays" setting is the threshold in number of days of when users get the notification. The script will by default be in test mode, have a 7 day threshold and look at all users.

Compiling the script

To compile your script into a single executable custom application, open the script and go to the "Create Exe File" menu and select the "Save Script As Exe File" menu item - or press F10. Your script is now compiled into a single executable file. Remember to save a copy of the script, as the executable file cannot be reverse engineered into the original script. Please refer to this page for more information on pros and cons of custom applications versus executing the original script.

Compiling an exe

Executing the application

The executable file (or original script) must run once a day on a server. This can be achieved in two ways:
  • Create a scheduled task and point to the exe file. The scheduled task handles the execution interval.
  • Uncomment the script lines that include "SleepUntil" and "Restart" in the example and run the exe file.
Using a scheduled task would under normal circumstances be preferred, as it can be scheduled to run at system startup without logon.

Summary

Watch Senior Technical Writer Steve Dodson from Binary Research International walk you through the material presented on this page.



Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or SCCM, then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German