TechOnTip Weblog

Run book for Technocrats

Sending Active Directory Domain Password Expiration Notification to End Users

Posted by Brajesh Panda on December 27, 2009

Did you ever noticed some users always called you up that they can’t access Corporate Applications using their AD User Account? Probably their account may be get locked down or got expired!

If account was locked out we can see from ADUC console. But if it was expired no way you come to know that password has been expired! Microsoft has some interesting tool kit for this kind of troubleshooting i.e. Account Lockout Management Tools. Refer to next posting about this.

If account was expired we used to reset their password. Sometime after investigation we usually came to know these users are not logging into corporate domain. So they didn’t receive any kind of notification that their password is going to expire in so many days. By the way there is no in built notification facility available in Windows Infrastructure for this kind of users.

So now we have the requirement; we can achieve this using a customized VB Script which will scan remaining days for password expiration & will send out a sweet message(mail) to these users. For troubleshooting purpose we have to generate some kind of logs that to which users our application is sending notification.

Here is a Visual Basic script which do this same task. Before running in production test it in your lab for accurate result. To run this script you don’t need any administrative access in Active Directory. You just need a simple user account who can read active directory user account attributes.

To run this you have to configure below parameters;

– Password Expiry Days in our domain

– On which Domain/Container you like to execute this

– Which users you like to exclude from scanning i.e. Disabled users etc (Optional)

– Notification Message details

– Message relay server name

– Folder details in schedule script

Download: Password Expiration Script

Download: Batch File Log Generation & execution

Note: To test this script you may need to send all notifications to your ID 1st before you release to users. For this you can change “objMessage.To = strDestEmail” parameter to “objMessage.To = “Your Email ID”. After you get convinced that everything is working fine you can revert back the parameter & then users will receive alert mails from you.

Disclaimer: Use this information & mentioned tool with your own risk J


12 Responses to “Sending Active Directory Domain Password Expiration Notification to End Users”

  1. Kevin said

    When I run it, the script identifies the users and pulls their last password change, but never sends an e-mail, what could be wrong?

    • Brajesh said

      Check SMTP configuration, at the end of the script! Where you can define SMTP Server name etc. You must have mail relay permission configured on your exchange server i.e. allow your server/workstation IP for relay from where you are running the script.

      Let me know if it helps

    • Check out if user has mail atttribute field updated… then you should have relay configuration configured in right way…

  2. Peter said

    Hi Brajesh,

    It is a nice script – I like it.
    I have one question. Lets asume that I have many AD accounts splited in under three different containers in AD like this:

    So, my question is how to modify the script in order to check all 3 locations one after another in one pass. Thanks in advance for the help, because I’m still a new in vbScript.

  3. Pravin said

    Does it needs only exchange server to send email? Will any smtp server not work?


  4. Clark said

    How would I alter this to allow me to notify users whose passwords are already pass my threshold. I have some users who may not have check their login status for a while and accounts may be expired as well as about to expire. Non workstation domain where the users do not login for any other functionality other than applications.

  5. Lorance said

    is it work with windows 2008 Servers ??

  6. Lorance said

    I am getting error on line 47, table dosent exist

  7. Sam Westfall said

    I know that it has been a while since this blog has been updated, I am receiving the same error message as Lorance. Error at line 47.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: