Configuring Password Expiration Notifications for AD Users | Windows OS Hub (2024)

Although Microsoft has removed the requirement to periodically change user passwords from its security baselines, most on-premises Active Directory domains have a policy that specifies the maximum age of a user’s password. Users often forget to change their expired passwords in time, resulting in unnecessary calls to IT support.

In this article, we’ll look at how to find out when a user account password on a domain will expire, and how to remind the user in advance that they need to change their password.

Contents:

  • How to Get the User Password Expiration Date in Active Directory
  • Enable Active Directory Password Expiration Notification Policy
  • Show a Password Expiration Pop-up Notification with PowerShell
  • Send Account Expiration Email Notifications with PowerShell

How to Get the User Password Expiration Date in Active Directory

The AD domain password policy settings determine the expiration date of a user’s password in a domain. To find the current settings of a domain’s password expiration policy, run the PowerShell command:

Get-ADDefaultDomainPasswordPolicy|select MaxPasswordAge

In this example, the maximum age of user passwords in the domain is 60 days.

Configuring Password Expiration Notifications for AD Users | Windows OS Hub (1)

In addition, the Fine-Grained Password policy can be used (optionally) to enable custom password expiration settings for some AD users and groups.

The user properties in Active Directory only have the pwdLastSet attribute, which contains the date of the last password change (can be viewed in the ADUC console (dsa.msc)-> AD Attribute Editor tab).

Configuring Password Expiration Notifications for AD Users | Windows OS Hub (2)

You can find out the expiration date of a user’s password in a domain using PowerShell (requires the AD PowerShell module), which allows getting the value of the msDS-UserPasswordExpiryTimeComputed attribute. The msDS-UserPasswordExpiryTimeComputed is a constructed attribute whose value is automatically calculated based on the date of the last password change and the domain password policy settings.

Get-ADUser -Identity jsmith -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, PasswordNeverExpires, PasswordExpired |Select-Object -Property Name,PasswordLastSet, PasswordNeverExpires, PasswordExpired,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

The cmdlet returns the values of the following attributes:

  • PasswordLastSet — time of last password change;
  • PasswordNeverExpires – returns True if the user’s password is set to Never Expire. This is one of the bit values of the UserAccountControl attribute;
  • PasswordExpired – returns True if the user’s password has expired;
  • ExpiryDate – the password expiry date.

List all users from a specific AD container (Organisational Unit) whose passwords have expired:

$Users = Get-ADUser -SearchBase 'OU=Users,OU=NewYork,DC=woshub,DC=com' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet
$Users | select Name, @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, PasswordLastSet | where ExpirationDate -lt (Get-Date)

If the value of msDS-UserPasswordExpiryTimeComputed is 0, it means that pwdLastSet is empty (null) or equal to 0 (the password has never been changed).

Enable Active Directory Password Expiration Notification Policy

If you want to notify Active Directory users when they need to change their password, you can enable a separate Group Policy option in Windows.

The Interactive logon: Prompt user to change password before expiration policy is located in the GPO section: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Configuring Password Expiration Notifications for AD Users | Windows OS Hub (5)

This policy is enabled by default in the local Group Policy settings (gpedit.msc). Notifications will start to appear 5 days before the password expires.

Once this policy is enabled, when a user’s password expires, a notification to change the password will appear in the system tray every time the user logs on to Windows. You can change the number of days before users see a password change notification.

Consider changing your passwordYour password will expire in xx days.

However, this message appears for a few seconds and is often ignored by users. Therefore, you can configure an additional pop-up notification for users when they need to change their password.

Show a Password Expiration Pop-up Notification with PowerShell

The following PowerShell script displays a pop-up message that prompts you to change your password if it expires in less than 5 days:

$DaysLeft = 5
try{
Add-Type -AssemblyName PresentationCore,PresentationFramework,WindowsBase,system.windows.forms
} catch {
Throw "Failed to load Windows Presentation Framework assemblies."
}
$curruser= Get-ADUser -Identity $env:username -Properties 'msDS-UserPasswordExpiryTimeComputed','PasswordNeverExpires'
if ( -not $curruser.'PasswordNeverExpires') {
$timediff=(new-timespan -start (get-date) -end ([datetime]::FromFileTime($curruser."msDS-UserPasswordExpiryTimeComputed"))).Days
if ($timediff -lt $DaysLeft) {
$msgBoxInput = [System.Windows.MessageBox]::Show("Your password will expire in "+ $timediff + " days!`nDoyou want to change it now?","Important!","YesNo","Warning")
switch ($msgBoxInput) {
'Yes' {
$Console = quser | Select-String -Pattern ">"| Select-String -Pattern "console" -Quiet
if ( $Console ) {
Start-Process -FilePath powershell -ArgumentList "-command Set-ADAccountPassword -Identity $env:username ; pause"
}
else {
cmd /c "C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"
}
}
'No' { }
}
}
}

The script requires the AD module for PowerShell to be installed on users’ computers. It can be used even if RSAT is not installed. See: Using the AD module without installing RSAT.

Configuring Password Expiration Notifications for AD Users | Windows OS Hub (7)

If there are less than 5 days left before the password expires, the script will prompt the user to change the password. If the user clicks Yes, a check is made to see if the user is logged on at the computer console or remotely:

  • If RDP sessions are detected, the user will see the Windows Security change password prompt, which can be accessed by pressing Ctrl+Alt+Del or Ctrl+Alt+End (used to change the password in an RDP session).
  • If the user is logged on locally (console session), the Set-ADAccountPassword cmdlet prompts you to change the password.

Schedule this PowerShell script to run through the Task Scheduler or run as a GPO logon script.

This only works on computers that have joined an Active Directory domain. If a user is connecting to a domain via VPN or using some type of web client (such as OWA), they will not see a notification that their password is about to expire. In this case, you can email users when their password expires.

Send Account Expiration Email Notifications with PowerShell

If you want to notify users by sending them an e-mail when their password is about to expire, you can use this PowerShell script:

$Sender = "[emailprotected]"
$Subject = 'Important! Your password is about to expire!'
$BodyTxt1 = 'Your password for'
$BodyTxt2 = 'expires in '
$BodyTxt3 = 'days. Remember to change your password in advance. Contact the HelpDesk if you have any questions'
$smtpserver ="smtp.woshub.com"
$warnDays = (get-date).adddays(7)
$2Day = get-date
$Users = Get-ADUser -SearchBase 'OU=Users,OU=NewYork,DC=woshub,DC=com' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, EmailAddress, Name | select Name, @{Name ="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, EmailAddress
foreach ($user in $users) {
if (($user.ExpirationDate -lt $warnDays) -and ($2Day -lt $user.ExpirationDate) ) {
$lastdays = ( $user.ExpirationDate -$2Day).days
$EmailBody = $BodyTxt1, $user.name, $BodyTxt2, $lastdays, $BodyTxt3 -join ' '
Send-MailMessage -To $user.EmailAddress -From $Sender -SmtpServer $smtpserver -Subject $Subject -Body $EmailBody
}
}

The Send-MailMessage cmdlet has an -Attachment parameter. It allows you to attach a file to an email with instructions on how a user can change a password in your corporate environment.

The script finds all active domain users whose passwords are about to expire. In the 7 days before the password expires, a user will begin to receive emails sent to the address specified in the AD. Emails will continue to be sent until the password is changed or expires.

Run this PowerShell script regularly on any computer/server in your domain (it is easier to do it with the Task Scheduler). In this example, we don’t use SMTP authentication in the script. So should add this host IP to the list of allowed senders on your SMTP server to allow email to be sent without authentication.

By slightly modifying the script, you can send the password expiration notification directly to the user’s messenger.

  • Send Telegram Messages from PowerShell
  • Sending a Message to Teams Chats with PowerShell
Configuring Password Expiration Notifications for AD Users | Windows OS Hub (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Wyatt Volkman LLD

Last Updated:

Views: 6434

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Wyatt Volkman LLD

Birthday: 1992-02-16

Address: Suite 851 78549 Lubowitz Well, Wardside, TX 98080-8615

Phone: +67618977178100

Job: Manufacturing Director

Hobby: Running, Mountaineering, Inline skating, Writing, Baton twirling, Computer programming, Stone skipping

Introduction: My name is Wyatt Volkman LLD, I am a handsome, rich, comfortable, lively, zealous, graceful, gifted person who loves writing and wants to share my knowledge and understanding with you.