In Windows XP, and Windows Server 2003, you would get a notification at logon when (by default) 14 days remained until your Active Directory user’s password expired. In Windows 7 and Windows Server 2008 R2, Microsoft has changed this feature. Now you don’t get this notification at logon, but rather after you have logged on. And the notification is less intrusive, as you only see it for a few seconds in the system tray, as a balloon notification.
Users obviously easily miss those, and the result is that you are left with users whos passwords aren’t changed until they have actually expired. When the users’ password expire, they will loose connection to exchange servers, and other servers that are dependent on their active directory credentials. Which again will result in a number of support calls, where users might think that something is wrong with their machine, since they are not able to, for example, send and receive e-mails.
The obvious solution to this problem is to notify the users in another manner than the built-in balloon notification. But first let’s look at the difference between XP and Windows 7, then where you can define how many days before password expiration users should be notified, and finally how to resolve the issue, by sending the users an e-mail notification instead of just relying on the balloon notification in the system tray.
1. Difference between Windows 7 and Windows XP
In Windows XP, users were notified at logon, (by default) 14 days prior to their password expired, and the notification would be repeated every day, until their password expired.
In Windows 7, users are notified by a notification balloon in the system tray, (by default) 5 days prior to their password expires, and the notification is repeated every day until their password expires.
2. Group Policy setting to define number of days
The Group Policy setting to define number of days before password expiration, the users should start receiving notification is found in the following location
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration
In a domain environment, the policy setting is by default Not Defined
But if you check the Local Security Policy of a Windows 7 or Server 2008 R2 machine, you will see that the policy setting is by default defined as 5 days in those two operating systems.
3. Send notification by E-mail
Like I have explained earlier, users usually miss the balloon notification they receive in the system tray, and that results in quite a few support calls. So one should rather use other manners to notify users that their Windows password is about to expire, and they should change it as soon as possible. The following Script will notify the users when 7, 3, 2, 1 days remain until their password expires by e-mail.
import-module ActiveDirectory;
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
get-aduser -searchbase “ou=user accounts,dc=contoso,dc=com” -filter * -searchscope 1 -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, displayName | foreach {$today=get-date
$UserName=$_.displayName
$Email=$_.EmailAddressif (!$_.PasswordExpired -and !$_.PasswordNeverExpires) {
$ExpiryDate=$_.PasswordLastSet + $maxPasswordAgeTimeSpan
$DaysLeft=($ExpiryDate-$today).daysif ($DaysLeft -lt 4 -and $DaysLeft -gt 0 -or $DaysLeft -eq 7){
$WarnMsg = “
<p style=’font-family:calibri’>Hello $UserName,</p>
<p style=’font-family:calibri’>Your Windows password is about to expire in $DaysLeft day(s), it is recommended that you change it before it expires. </p><p style=’font-family:calibri’>The requirements for new password are as following:</p>
<ul style=’font-family:calibri’>
<li>Minimum Password Length must be 7 characters</li>
<li>Requirement x</li>
<li>Requirement y</li>
<li>Requirement z</li>
</ul>
<p style=’font-family:calibri’></p>
<p style=’font-family:calibri’>Best Regards<br>
IT Helpdesk</p>
“
ForEach ($email in $_.EmailAddress) {
send-mailmessage -to $email -from helpdesk@contoso.com -Subject “Passord Expiry Notification: Your Windows password is about to expire in $DaysLeft day(s)” -body $WarnMsg -smtpserver 192.168.0.25 -BodyAsHtml -Encoding ([System.Text.Encoding]::UTF8) }}
}
}
Obviously replace any values that do not correspond to your environment.
In the body of the message you can also link to a web page where you can give instructions on how users can reset their password, or who they should talk to if they are not able to do it themselves. When run as a scheduled task, this script can be very useful, as it will reduce the number of support calls you might get due to expired passwords.
Since AD module for Powershell is being imported at the start of the script, you obviously need to either run the script from a Domain Controller, or from a machine where AD module for Powershell has been installed.
If you are going to schedule the script to run on a Domain Controller, you can use the following command to create the scheduled task
schtasks /CREATE /RU SYSTEM /SC DAILY /TN EmailNotification /TR “powershell.exe -ExecutionPolicy Bypass c:\scripts\emailnotification.ps1 -path C:\scripts\” /ST 05:00:00
This command will create a scheduled task named EmailNotification, and run it daily at 05:00:00. The scheduled task will be ran under the SYSTEM context.
I don’t know why Microsoft changed it from the way it was in Windows XP, but thanks for the script. I was looking for a way to notify people and this is perfect.
Fantastic script. Thanks!