locked
password expiry prompt "password will expire in x days" on logon screen RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I  have a2008 r2 domain controller. How to set the policy that notifies user on the logon screen that your "password is expiring in x days. please change it now" or something like that. I can see that there is a notification on task bar that pops up saying that password will expire in x days but chances are that users are going to miss seeing that popup. How to prompt the notification in logon screen?

    Thanks,

    Wednesday, March 2, 2016 8:07 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    This is not possible currently, to pop up on the logon screen in how many days your password is going to expire.  You can however, configure a script that runs nightly and if you got really fancy you could configure that script to notify the user via email that their password is going to expire in XX days.  A script like this is in the Gallery:

    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Active-7179b91d

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Todd Heron Thursday, March 3, 2016 1:01 PM
    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Wednesday, March 2, 2016 9:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    My recommendation would be to send them e-mail notifications: http://social.technet.microsoft.com/wiki/contents/articles/23313.notify-active-directory-users-about-password-expiry-using-powershell.aspx

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Wednesday, March 2, 2016 11:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Here is a similar thread may be helpful to you.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/20e1f379-5722-4b05-897e-2da3f11123d9/how-to-setup-user-password-expiry-notification-on-user-lock-screen-via-gpo?forum=winserverGP

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 3:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please use this script will Help you sending the notification of password expiry.....

    #Script to email user once password has been changed
    #Denis Cooper
    #October 2013
    #
    #Script is intended to run as a scheduled task every hour. It will find all users who have changed their password within the last hour and send an email to them to notify them
    #their password was changed
    #
    #script uses quest powershell - you can download it from here http://www.quest.com/powershell/activeroles-server.aspx for free

    #import the quest powershell module
    Import-Module "C:\Program Files\Quest Software\Management Shell for AD\Quest.ActiveRoles.ARSPowerShellSnapin.dll"
    Connect-QADService

    #Email Function
    Function EmailUser {
    #setup email variables
    #change the settings for smtp server, from address, subject and content.
    #you can use $firstname variable to display the users name in the email
    #you can use $lastset to display the last time the password was changed

    $internalsmtpServer = "name or ip address of smtp server"
    $fromaddress = "ithelpdesk@company.com"
    $subject = "Your password has recently been changed"    
    $MessageContent = "
     
     Hello $firstname,
     
     Your password was reset on $lastset
     
     If this was not your intention please contact the IT Helpdesk
     
     "

    #only change the CC if you need to cc someone otherwise you can delete the CC line
    $messageParameters = @{                       
        Subject = $subject    
     Body = $messagecontent
        From = $fromaddress                   
     TO = "$useremail"
     CC = "IT.Helpdesk@IT.Com"
        SmtpServer = $internalsmtpServer                     
            }                       
        Send-MailMessage @messageParameters
      
    }

    #Don't change these settings - they get the date and time when the script is run - and then takes an hour away from the current time.
    $Time = Get-Date
    $TimeMinus1 = $Time.AddHours(-1)

    #this uses quest AD powershell to serch AD for all users who have changed their password in the last hour - you can change the search OU, or if you want to search the whole
    #active directory just remote the -searchroot 'ou=ouname,dc=domain,dc=com' from the command below
    $Users = Get-QADUser -SearchRoot 'ou=ouname,dc=domain,dc=com' -SizeLimit 0 | Where-Object {$_.PasswordLastSet -ge $TimeMinus1 -and $_.PasswordLastSet -le $time}


    #for each user found to have changed their password in the last hour, get additional attributes and send them an email
    foreach ($user in $users) {

     $UserDetails = Get-QADUser $User
     $FirstName = $UserDetails.FirstName
     $UserEmail = $userdetails.mail
     $LastSet = $userdetails.PasswordLastSet

     EmailUser
     }
    *******************************************************************************************************************************************
    $minuteschanged=60
    $timeminus1=(get-date).addminutes("-$minuteschanged")

    $users=get-aduser -searchbase "ou=test,dc=lab,dc=lcl" -filter * -properties name,mail,samaccountname,passwordlastset | Where

    {$_.PasswordLastSet -ge $timeminus1} | ForEach-Object {

    #Send Email to users

    $SMTPServer = "email.lab.lcl"

    $from = "AccountAdmin@lab.lcl"

    $to = $_.mail

    $SamAccountName = $_.name

    $LastSet = $_.PasswordLastSet

    $subject = "Your password has been reset"

    $emailbody = "Hello $SamAccountName your password was reset on $LastSet"

    $mailer = new-object Net.Mail.SMTPclient($SMTPserver)

    $msg = new-object Net.Mail.MailMessage($from, $to, $subject, $emailbody)

    $mailer.send($msg)
    }

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 4:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As said above, you should be able to implement the given command to notify the users about their password expiration.

    Furthermore, if you also willing to manage the task automatically, this password expiry notification tool can also be useful to work around your concern. It notifies users by sending customized email notification when their password is about to expire.

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 7:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    You can try this Power Shell script from Script Center to send notifications via email 

    https://gallery.technet.microsoft.com/scriptcenter/Password-Expiry-Email-177c3e27

    Alternately, if you wish for advanced options you can try this Password Expiration notification tool. 

    Regards,
    Santhosh. 

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 8:15 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    This is not possible currently, to pop up on the logon screen in how many days your password is going to expire.  You can however, configure a script that runs nightly and if you got really fancy you could configure that script to notify the user via email that their password is going to expire in XX days.  A script like this is in the Gallery:

    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Active-7179b91d

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Todd Heron Thursday, March 3, 2016 1:01 PM
    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Wednesday, March 2, 2016 9:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    My recommendation would be to send them e-mail notifications: http://social.technet.microsoft.com/wiki/contents/articles/23313.notify-active-directory-users-about-password-expiry-using-powershell.aspx

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Wednesday, March 2, 2016 11:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Here is a similar thread may be helpful to you.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/20e1f379-5722-4b05-897e-2da3f11123d9/how-to-setup-user-password-expiry-notification-on-user-lock-screen-via-gpo?forum=winserverGP

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 3:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please use this script will Help you sending the notification of password expiry.....

    #Script to email user once password has been changed
    #Denis Cooper
    #October 2013
    #
    #Script is intended to run as a scheduled task every hour. It will find all users who have changed their password within the last hour and send an email to them to notify them
    #their password was changed
    #
    #script uses quest powershell - you can download it from here http://www.quest.com/powershell/activeroles-server.aspx for free

    #import the quest powershell module
    Import-Module "C:\Program Files\Quest Software\Management Shell for AD\Quest.ActiveRoles.ARSPowerShellSnapin.dll"
    Connect-QADService

    #Email Function
    Function EmailUser {
    #setup email variables
    #change the settings for smtp server, from address, subject and content.
    #you can use $firstname variable to display the users name in the email
    #you can use $lastset to display the last time the password was changed

    $internalsmtpServer = "name or ip address of smtp server"
    $fromaddress = "ithelpdesk@company.com"
    $subject = "Your password has recently been changed"    
    $MessageContent = "
     
     Hello $firstname,
     
     Your password was reset on $lastset
     
     If this was not your intention please contact the IT Helpdesk
     
     "

    #only change the CC if you need to cc someone otherwise you can delete the CC line
    $messageParameters = @{                       
        Subject = $subject    
     Body = $messagecontent
        From = $fromaddress                   
     TO = "$useremail"
     CC = "IT.Helpdesk@IT.Com"
        SmtpServer = $internalsmtpServer                     
            }                       
        Send-MailMessage @messageParameters
      
    }

    #Don't change these settings - they get the date and time when the script is run - and then takes an hour away from the current time.
    $Time = Get-Date
    $TimeMinus1 = $Time.AddHours(-1)

    #this uses quest AD powershell to serch AD for all users who have changed their password in the last hour - you can change the search OU, or if you want to search the whole
    #active directory just remote the -searchroot 'ou=ouname,dc=domain,dc=com' from the command below
    $Users = Get-QADUser -SearchRoot 'ou=ouname,dc=domain,dc=com' -SizeLimit 0 | Where-Object {$_.PasswordLastSet -ge $TimeMinus1 -and $_.PasswordLastSet -le $time}


    #for each user found to have changed their password in the last hour, get additional attributes and send them an email
    foreach ($user in $users) {

     $UserDetails = Get-QADUser $User
     $FirstName = $UserDetails.FirstName
     $UserEmail = $userdetails.mail
     $LastSet = $userdetails.PasswordLastSet

     EmailUser
     }
    *******************************************************************************************************************************************
    $minuteschanged=60
    $timeminus1=(get-date).addminutes("-$minuteschanged")

    $users=get-aduser -searchbase "ou=test,dc=lab,dc=lcl" -filter * -properties name,mail,samaccountname,passwordlastset | Where

    {$_.PasswordLastSet -ge $timeminus1} | ForEach-Object {

    #Send Email to users

    $SMTPServer = "email.lab.lcl"

    $from = "AccountAdmin@lab.lcl"

    $to = $_.mail

    $SamAccountName = $_.name

    $LastSet = $_.PasswordLastSet

    $subject = "Your password has been reset"

    $emailbody = "Hello $SamAccountName your password was reset on $LastSet"

    $mailer = new-object Net.Mail.SMTPclient($SMTPserver)

    $msg = new-object Net.Mail.MailMessage($from, $to, $subject, $emailbody)

    $mailer.send($msg)
    }

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 4:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As said above, you should be able to implement the given command to notify the users about their password expiration.

    Furthermore, if you also willing to manage the task automatically, this password expiry notification tool can also be useful to work around your concern. It notifies users by sending customized email notification when their password is about to expire.

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 7:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    You can try this Power Shell script from Script Center to send notifications via email 

    https://gallery.technet.microsoft.com/scriptcenter/Password-Expiry-Email-177c3e27

    Alternately, if you wish for advanced options you can try this Password Expiration notification tool. 

    Regards,
    Santhosh. 

    • Marked as answer by fim_sc Thursday, March 3, 2016 2:17 PM
    Thursday, March 3, 2016 8:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank you all. We have FIM for our identity management and the plan is to use the pwdLastSet attribute to send out email notifications using inbuilt functionality of FIM.
    Thursday, March 3, 2016 2:18 PM