none
User Expiration Notification Options

    Question

  • I'm looking for a solution to notify users by email at preset intervals prior to their ID expiring.  For example, a job that runs each night and checks the user ID expiration (NOT password expiration) and if one is set it emails the user at 30, 14, 7, and 1 day prior to their ID expiring to let them know this is coming up and to call the service desk if they need to be extended.  I've found VB scripts that can notify by a popup message box on login and tools to pull the lists of expired users but am having trouble finding user ID expiration notification options.  Anything out there like this?
    • Moved by Bruce-Liu Wednesday, January 12, 2011 7:15 AM (From:Security)
    Tuesday, January 11, 2011 11:24 PM

Answers

  • Hi Michael,

     

    As far as I know, there is no built-in option to do this. As Paul has suggested, you can modify the current script to send email. If you have difficulty to customize the script, I suggest that you create a new post in the Official Scripting Guys Forum to get further support there. They are the best resource for scripting related problems.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

     

    Hope this helps.

     

    Regards,

    Bruce


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Meinolf WeberMVP Wednesday, January 12, 2011 12:52 PM
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 7:37 AM
    • Proposed as answer by Meinolf WeberMVP Wednesday, January 12, 2011 12:52 PM
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 12:49 PM
  • The example VBScript program displays information on users whose account will expire in the next 14 days. The 14 days is hard coded, so you can use any value desired:

    ' AcctsAboutToExpire.vbs
    ' VBScript program to find accounts that will expire in the
    ' next 14 days.
    Option Explicit
    
    Dim objShell, lngBiasKey, lngTZBias
    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain
    Dim strBase, strFilter, strAttributes, strQuery
    Dim adoRecordset, strNTName, strDN
    Dim dtmCritical1, lngSeconds1, str64Bit1
    Dim dtmCritical2, lngSeconds2, str64Bit2
    Dim objDate, dtmExpire
    
    ' Obtain local Time Zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
      & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
      lngTZBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
      lngTZBias = 0
      For k = 0 To UBound(lngBiasKey)
        lngTZBias = lngTZBias + (lngBiasKey(k) * 256^k)
      Next
    End If
    
    ' Determine critical dates, now and 14 days in future.
    dtmCritical1 = Now()
    dtmCritical2 = DateAdd("d", 14, Now())
    
    ' Convert to UTC.
    dtmCritical1 = DateAdd("n", lngTZBias, dtmCritical1)
    dtmCritical2 = DateAdd("n", lngTZBias, dtmCritical2)
    
    ' Convert to seconds since 1/1/1601
    lngSeconds1 = DateDiff("s", #1/1/1601#, dtmCritical1)
    lngSeconds2 = DateDiff("s", #1/1/1601#, dtmCritical2)
    
    ' Convert to 100-nanosecond intervals
    str64Bit1 = CStr(lngSeconds1) & "0000000"
    str64Bit2 = CStr(lngSeconds2) & "0000000"
    
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection
    
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    
    ' Filter on user objects that expire between now and next 14 days.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
      & "(accountExpires>=" & str64Bit1 & ")" _
      & "(accountExpires<=" & str64Bit2 & "))"
    
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName,accountExpires"
    
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
      ' Retrieve values and display.
      strNTName = adoRecordset.Fields("sAMAccountName").Value
      strDN = adoRecordset.Fields("distinguishedName").Value & ""
      Set objDate = adoRecordset.Fields("accountExpires").Value
      dtmExpire = Integer8Date(objDate, lngTZBias)
      Wscript.Echo strDN & "," & strNTName & "," & dtmExpire
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
    Loop
    
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    
    Function Integer8Date(ByVal objDate, ByVal lngBias)
      ' Function to convert Integer8 (64-bit) value to a date, adjusted for
      ' local time zone bias.
      Dim lngAdjust, lngDate, lngHigh, lngLow
      lngAdjust = lngBias
      lngHigh = objDate.HighPart
      lngLow = objdate.LowPart
      ' Account for error in IADsLargeInteger property methods.
      If (lngLow < 0) Then
        lngHigh = lngHigh + 1
      End If
      If (lngHigh = 0) And (lngLow = 0) Then
        lngAdjust = 0
      End If
      lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
        + lngLow) / 600000000 - lngAdjust) / 1440
      ' Trap error if lngDate is ridiculously huge.
      On Error Resume Next
      Integer8Date = CDate(lngDate)
      If (Err.Number <> 0) Then
        On Error GoTo 0
        Integer8Date = #1/1/1601#
      End If
      On Error GoTo 0
    End Function

     

    To add the functionality to email the users, you would retrieve the "mail" and/or "proxyAddresses" attributes of the user, then use a function similar to below:

    Sub SendEmailMessage(ByVal strDestEmail, ByVal strNTName, ByVal dtmDate)
      ' Send email message.
      Dim objMessage
    
      If (strDestEmail = "") Then
        Exit Sub
      End If
    
      Set objMessage = CreateObject("CDO.Message") 
      objMessage.Subject = "Password Will Expire"
      ' Hard code sender email address.
      objMessage.Sender = "jimsmith@mycompany.com" 
      objMessage.To = strDestEmail 
      objMessage.TextBody = "The password for account " & strNTName _
        & " will expire " & CStr(dtmDate)
      objMessage.Send
    End Sub

     

    This function requires CDO, and is coded for a different purpose, but you get the idea. It comes from the following example VBScript program, which sends an emaill message to users whose password is about to expire:

    http://www.rlmueller.net/PasswordExpires.htm

    You could modify this example to use the filter I used in the first program, so it emails users whose account is about to expire. I hope this helps.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 5:51 PM

All replies

  • On Tue, 11 Jan 2011 23:24:43 +0000, MIchael Horseman wrote:

    I'm looking for a solution to notify users by email at preset intervals prior to their ID expiring.? For example, a job that runs each night and checks the user ID expiration (NOT password expiration) and if one is set it emails the user at 30, 14, 7, and 1 day prior to their ID expiring to let them know this is coming up and to call the service desk if they need to be extended.? I've found VB scripts that can notify by a popup message box on login and tools to pull the lists of expired users but am having trouble finding user ID expiration notification options.? Anything out there like this?

    If you Google for VBS send email you'll get a lot of hits like this one:

    http://www.petri.co.il/send_mail_from_script.htm

    You'd simply need to take one of these examples and then combine it with
    one of the scripts you've found that pulls the expiration date of the
    account from AD.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Want custom ringtones on your Windows Phone 7 device?
    1 bull, 3 cows.

    Wednesday, January 12, 2011 6:42 AM
  • Hi Michael,

     

    As far as I know, there is no built-in option to do this. As Paul has suggested, you can modify the current script to send email. If you have difficulty to customize the script, I suggest that you create a new post in the Official Scripting Guys Forum to get further support there. They are the best resource for scripting related problems.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

     

    Hope this helps.

     

    Regards,

    Bruce


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Meinolf WeberMVP Wednesday, January 12, 2011 12:52 PM
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 7:37 AM
    • Proposed as answer by Meinolf WeberMVP Wednesday, January 12, 2011 12:52 PM
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 12:49 PM
  • The example VBScript program displays information on users whose account will expire in the next 14 days. The 14 days is hard coded, so you can use any value desired:

    ' AcctsAboutToExpire.vbs
    ' VBScript program to find accounts that will expire in the
    ' next 14 days.
    Option Explicit
    
    Dim objShell, lngBiasKey, lngTZBias
    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain
    Dim strBase, strFilter, strAttributes, strQuery
    Dim adoRecordset, strNTName, strDN
    Dim dtmCritical1, lngSeconds1, str64Bit1
    Dim dtmCritical2, lngSeconds2, str64Bit2
    Dim objDate, dtmExpire
    
    ' Obtain local Time Zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
      & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
      lngTZBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
      lngTZBias = 0
      For k = 0 To UBound(lngBiasKey)
        lngTZBias = lngTZBias + (lngBiasKey(k) * 256^k)
      Next
    End If
    
    ' Determine critical dates, now and 14 days in future.
    dtmCritical1 = Now()
    dtmCritical2 = DateAdd("d", 14, Now())
    
    ' Convert to UTC.
    dtmCritical1 = DateAdd("n", lngTZBias, dtmCritical1)
    dtmCritical2 = DateAdd("n", lngTZBias, dtmCritical2)
    
    ' Convert to seconds since 1/1/1601
    lngSeconds1 = DateDiff("s", #1/1/1601#, dtmCritical1)
    lngSeconds2 = DateDiff("s", #1/1/1601#, dtmCritical2)
    
    ' Convert to 100-nanosecond intervals
    str64Bit1 = CStr(lngSeconds1) & "0000000"
    str64Bit2 = CStr(lngSeconds2) & "0000000"
    
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection
    
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    
    ' Filter on user objects that expire between now and next 14 days.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
      & "(accountExpires>=" & str64Bit1 & ")" _
      & "(accountExpires<=" & str64Bit2 & "))"
    
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName,accountExpires"
    
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
      ' Retrieve values and display.
      strNTName = adoRecordset.Fields("sAMAccountName").Value
      strDN = adoRecordset.Fields("distinguishedName").Value & ""
      Set objDate = adoRecordset.Fields("accountExpires").Value
      dtmExpire = Integer8Date(objDate, lngTZBias)
      Wscript.Echo strDN & "," & strNTName & "," & dtmExpire
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
    Loop
    
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    
    Function Integer8Date(ByVal objDate, ByVal lngBias)
      ' Function to convert Integer8 (64-bit) value to a date, adjusted for
      ' local time zone bias.
      Dim lngAdjust, lngDate, lngHigh, lngLow
      lngAdjust = lngBias
      lngHigh = objDate.HighPart
      lngLow = objdate.LowPart
      ' Account for error in IADsLargeInteger property methods.
      If (lngLow < 0) Then
        lngHigh = lngHigh + 1
      End If
      If (lngHigh = 0) And (lngLow = 0) Then
        lngAdjust = 0
      End If
      lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
        + lngLow) / 600000000 - lngAdjust) / 1440
      ' Trap error if lngDate is ridiculously huge.
      On Error Resume Next
      Integer8Date = CDate(lngDate)
      If (Err.Number <> 0) Then
        On Error GoTo 0
        Integer8Date = #1/1/1601#
      End If
      On Error GoTo 0
    End Function

     

    To add the functionality to email the users, you would retrieve the "mail" and/or "proxyAddresses" attributes of the user, then use a function similar to below:

    Sub SendEmailMessage(ByVal strDestEmail, ByVal strNTName, ByVal dtmDate)
      ' Send email message.
      Dim objMessage
    
      If (strDestEmail = "") Then
        Exit Sub
      End If
    
      Set objMessage = CreateObject("CDO.Message") 
      objMessage.Subject = "Password Will Expire"
      ' Hard code sender email address.
      objMessage.Sender = "jimsmith@mycompany.com" 
      objMessage.To = strDestEmail 
      objMessage.TextBody = "The password for account " & strNTName _
        & " will expire " & CStr(dtmDate)
      objMessage.Send
    End Sub

     

    This function requires CDO, and is coded for a different purpose, but you get the idea. It comes from the following example VBScript program, which sends an emaill message to users whose password is about to expire:

    http://www.rlmueller.net/PasswordExpires.htm

    You could modify this example to use the filter I used in the first program, so it emails users whose account is about to expire. I hope this helps.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Bruce-Liu Friday, January 28, 2011 4:06 AM
    Wednesday, January 12, 2011 5:51 PM