3

Are there any tools/apps/scripts out there that will do password expiry notification for Windows 2008 Active Directory credentials? This is needed for our web apps that use Active Directory for LDAP authentication. The problem is those apps do not notify you that your password is going to expire when you login. We have many offsite users who do not have machines bound to the AD. So there is no way to let them know to reset their password.

I'd like the user to be notified 30,7 and 1 day before it expires. I'd also like our help desk to get an email for the expiring passwords for the week and recently expired passwords.

I've looked at oldcmp.exe from link text and that gets me my reports but it does not do the automation that I'm looking for on the individual users.

keithosu
  • 336
  • 2
  • 15

4 Answers4

1

If you're willing to put forth the effort to make the program, it isn't hard to figure out. The root domain object (DC=company,DC=example,DC=com) has an attribute called maxPwdAge, and the individual user accounts have an attribute called pwdLastSet. Both of these attributes are timestamps in 100 nanosecond intervals.

Once you pull these values, it is really a matter of addition/subtraction and from there, all you need to do is send the email...

Kyle Brantley
  • 1,321
  • 1
  • 11
  • 14
1

As you're on 2008, PowerShell would be one of my first places to look. There is a great couple of scripts here that do notifications, and is configurable for example. It does require the Quest AD package to be installed. You can achieve the same without the help of the Quest stuff too, just requires a little more digging into LDAP search syntax, and using ADSI (ScriptingGuys has an example of the ADSI method without mail here).

Jon Angliss
  • 1,782
  • 10
  • 8
0

We had to solve this problem as well. What we ended up with is modifying our Web-SSO solution (CAS) to do the aging-check during every login. If it crosses certain thresholds, it'll warn the user on a click-through screen. During interactive login, we have a Login Script that fires that checks this as well, and throws a bit popup warning them of expiration.

This did require us to write code to make it work, but it is currently working well.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
0

We use netwrix apps, "password expiration notifier".

You can try the freeware before requesting a quote.

Muhammad
  • 699
  • 10
  • 20