Password Expiration Notification Form

Welcome Forums General PowerShell Q&A Password Expiration Notification Form

Viewing 9 reply threads
  • Author
    Posts
    • #219816
      Participant
      Topics: 66
      Replies: 71
      Points: 510
      Rank: Major Contributor

      I have been tasked to create Prompt for our users logging into our terminal server farm where if their AD password is less than 6 days from expiring, they will receive a window prompt informing them of the expiration and with an option to Change their password or do it later.

      The Windows Form is a no brainer which I will create with PowerShell studio. I will simply create a form that will do a Get-Date for today and then based on the user login, do a get-aduser for that user and then get the expiration date, get the difference date and if less than or equal to 6 days, display my windows form. One button will call the shell script to change their password and the other will just close the form.

      My only issue is where do I launch this powershell form from? Each user uses a login script so do I launch it from there? I need to have them fully logged into their terminal server before they see the prompt. Do I use NetLogin and call my script that way?

      Not really sure how to position this script (I will most likely have a full exe placed somewhere in our environment)

    • #219828
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero

      Doesn’t windows already do that?

      How to Prompt User to Change Windows Password Before Expiration

      you can set the amount of days when it prompts. Forgive me if I misunderstood.

    • #219939
      Participant
      Topics: 66
      Replies: 71
      Points: 510
      Rank: Major Contributor

      The problem is that users are not seeing it and it results in a deluge of calls that their password has expired.   We apparently need something more in their field of view.

    • #219957
      Participant
      Topics: 4
      Replies: 2249
      Points: 5,494
      Helping Hand
      Rank: Community MVP

      Just an idea: What about using the task scheduler? There you can set up a trigger like “At log on” or “On connection to user session” and you can set up a delay if you need.

    • #219963
      Participant
      Topics: 11
      Replies: 23
      Points: 162
      Rank: Participant

      Brian, also what about a Email notification to your entire environment when their PW is less than xx days?  We currently do this weekly when it is less than 14 days till expiration. The issue would be if you have a lot of users without email.

      # Date when passwords are 14 days from expiration (date minus (90-14) days)
      $DaysExpire = (Get-Date).AddDays(-76)
      $users = get-aduser -Filter {(enabled -eq $True) -and (mail -like "*@*") -and (PasswordLastSet -le $DaysExpire) -and (PasswordNeverExpires -eq $false) } -properties givenname,sn,mail,PasswordLastSet,Enabled,PasswordNeverExpires,passwordexpired -server dc.domain.com | where-object {$_.DistinguishedName -notlike "*,$ExceptionOUs" -and $_.passwordexpired -eq $false }

      Then we run a foreach now this can probably be done a lot cleaner but this is the code we have been using:

      foreach ($user in $users)
      
      {
      $FirstName = $user.givenname
      $LastName = $user.sn
      $emailaddress = $user.mail
      $passwordSetDate = $user.PasswordLastSet
      $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
      $expireson = $passwordsetdate + $maxPasswordAge
      $today = (get-date)
      $daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
      $subject="Your password will expire in $daystoExpire days"
      
        $body = "Dear $FirstName $LastName,
      Your Windows Account Password will expire in $daystoexpire days.
      
      To change your password on a PC (must be connected to vpn or in a corporate physical location) press CTRL-ALT-Delete and choose Change Password...
      If your phone or other device is receiving company email, don't forget to change your password on those devices too!
      
      If you have difficulty changing your password or your account is locked out, please call HELPDESK at 1-800-555-5555.
      
      
      Thank you,
      Your IT Administrator
      
      " Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High }
      

      Hope this can help.  Either way maybe look at how I get the user with PW’s expiring to figure out how to add it to the LOGIN script OLAF recommended which is a great option if you only care about the TS boxes.

    • #219966
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero

      As Don Jones would say, that’s an HR issue. It’s not unreasonable to expect them to see it and not let their passwords expire. However, why not just email them until they get the hint? Surely they don’t miss their emails too? Server side script that emails people with passwords expiring in n days or less, possibly getting more frequent as the day approaches? CC’ing the <insert scary person> for extra motivation?

    • #220224
      Participant
      Topics: 66
      Replies: 71
      Points: 510
      Rank: Major Contributor

      This is a good idea, but there is a subset of clinics that do not have email for their staff.

    • #220230
      Participant
      Topics: 66
      Replies: 71
      Points: 510
      Rank: Major Contributor

      I could do this as a task scheduler, but there are probably a total of 120 terminal servers.   I would have to create the task on all and then updates/edits would have to be done on EACH.   Ideally would want a centrally managed solution.

    • #220233
      Participant
      Topics: 4
      Replies: 2249
      Points: 5,494
      Helping Hand
      Rank: Community MVP

      I’d like to share another idea you might discuss with your colleagues, security officers, managers … even Microsoft recommends to consider dropping password expiration policies.

      https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903

      This doc might not be about your target environment but I think that does not really matter for this topic.

    • #220275
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero

      Very interesting. Thanks for sharing Olaf

Viewing 9 reply threads
  • You must be logged in to reply to this topic.