|
Active Directory password expiry notifier
As a systems administrator you recognize this problem: Some users are unaware that
their password will expire soon, because they received no notification thereof. This typically happens
to users who rarely logs out of their workstation, for instance VPN users. The user will be annoyed that there will
be a working pause, once the expiration occurs and will consume time at the IT department
to unlock the account. This problem could have been avoided, if the user had received an email
notifying of the expiration. The content of this page is available as a video tutorial at the bottom of this page.
The script presented here to solve this problem is a custom application. A custom application is a
script that is compiled into an exe file. Please refer to
this page for more information on custom applications.
The compilation from a script to an application is not a must; the script can be used
without compilation.
This custom application will send an email notification to users that will have password
expiration within the next configurable number of days.
An email will be sent once a day until user changes password or the password expires.
The example requires FastTrack Scripting Host version 6.6 or newer.
|
Why a custom application
The problem with commercial software to perform that same task is that there will be limitations
to the level of customization. Building an application yourself based on your own script on the other hand,
does not impose any limitations, as you can script any customization you might have in your organization
the same way as when you are doing programming.
The example script below will send out an email to users who have password expiration in the near future.
You could add valuable features to the script that applies to your company only, which could be:
- You only want to send a notification to a subset of users. The example script
below looks at all users. To have it look at users only in a specific Organizational Unit, the
collection AllUsers could simply be replaced by the UsersInOU collection. You could build
additional logic to further filter the users to be notified, for instance based on other Active
Directory attributes.
- You have a gateway to send an SMS to the end user's cellular phone and phone numbers are available
in the Active Directory phone number attribute. In this case you could copy the custom command in the
example and make a copy to send an SMS through the SMS gateway.
- When the password expiration gets below a certain threshold, for instance 2 days, you would like the
to get an email yourself and/or have one sent to the HelpDesk to proactively contact the user. This feature
can be added by adding another UserPasswordExpiresSoon condition and email notification.
- You have populated a specific Active Directory attribute with the private email address of some users.
If this attribute is not already mapped to an FSH function, the attribute name can be looked up in the
"Attribute editor" tab of the user, which again can be fed to the UserCustomProperty function to get the actual
value. Then an additional mail could be sent to this secondary email address.
|
If your company has problems with users that have prematurely expired accounts, the script presented here
can easily be modified to send a reminder email to them that their account will expire soon.
It would basically just require to replace the UserMustChangePasswordSoon condition with a
UserExpiresSoon and then re-write the email body text. If the current body text is used as
a template, the UserPasswordExpiryDate function must also be replaced with the UserPasswordDate
function.
|
The script
The script listed is available directly in the script editor. Go to the "Documentation" tab,
select "Password Expiry Notifier" under the "Insert Example Script" submenu.
''====
UNCOMMENT IF NOT USING A SCHEDULED TASK (WAIT FOR SPECIFIC TIME) ====
''SleepUntil 08:00
''====
SETTINGS ====
Set ExpWarnDays=7
Set TestMode=true
''==== FIND
NON-EXPIRED USERS WITH PENDING PASSWORD CHANGE ====
ForEach User in [AllUsers]
If UserEnabled
[Var User] Then
If UserMustChangePasswordSoon
[Var ExpWarnDays],[Var User] Then
Set EMail=[UserEMailAddress [Var User]]
If Not VarIsEmpty EMail Then SendNotificationMail [Var Email]
End If
End If
End ForEach
''==== UNCOMMENT
IF NOT USING A SCHEDULED TASK (RESTART) ====
''Restart
''==== EXEC
EMAIL SEND ====
Command SendNotificationMail(Recipient)
''==== SET SMTP STATIC INFORMATION ====
Set SmtpPort=25
Set SmtpServer=mail.acme.com
Set SmtpSender=no-reply@acme.com
Set SmtpUsername=no-reply@acme.com
Set SmtpPassword=[EncryptPassword MyPass] ''Preferably
encrypt the password in the editor instead
Set SmtpSenderName="Acme
Corp"
Set EMailHeader="Password
expiry notification"
''==== SET MAIL BODY ====
Set Body = "Dear [UserFullName [Var User]].[Return][Return]_
Your logon password will expire
on [UserPasswordExpiryDate [Var User]].[Return][Return]_
If your
are connecting through VPN, you may encounter problems connecting to the
network, _
If you
have not logged on to the network and changed your password at this date at the
lastest.[Return][Return]_
You will receive a daily
notification until you have changed your password."
''==== SEND EMAIL OR SHOW MAILBODY IN TEST MODE ====
If [Var TestMode]=True Then
ShowMessage [Var Body]
Else
SendMailPlain [Var SmtpServer],[Var SmtpPort],[Var SmtpSender],[Var SmtpSenderName],[Param Recipient],_
[Var EMailHeader],[Var Body],[Var SmtpUserName],[Var SmtpPassword]
End If
End Command
Setting the variable "TestMode" to "True" means that the body of the email will simply be prompted out during
execution instead of sending it as an email. This allows you to test how many users it will detect.
If you have many users, the ShowMessage prompt could be replaced by an AppendFile command, to log
who would have received an email.
The "ExpWarnDays" setting is the threshold in number of days of when users get the notification.
The script will by default be in test mode, have a 7 day threshold and look at all users.
Compiling the script
To compile your script into a single executable custom application, open the
script and go to the "Execute" menu and select the "Create Executable Script"
menu item - or click the corresponding toolbar item, as shown to the right.
Your script is now compiled into a single executable. Remember to save a copy
of the script, as the executable file cannot be reverse engineered into the
original script. Please refer to
this page for more information on
pros and cons of custom applications versus executing the original script.
|
|
Executing the application
The executable file (or original script) must run once a day on a server. This can be achieved in two ways:
- Create a scheduled task and point to the exe file. The scheduled task handles the execution interval.
- Uncomment the script lines that include "SleepUntil" and "Restart" in the example and run the exe file.
Using a scheduled task would under normal circumstances be preferred, as it can be scheduled to run at system startup without logon.
Summary
Watch Senior Technical Writer Steve Dodson from Binary Research International walk you through the
material presented on this page.
