How to configure password expiration notifications

In many organizations, password expiration notifications are not just a recommendation but a necessity to comply with internal policies or regulatory requirements. They help ensure that end users adhere to these rules, maintaining both personal and organizational security standards. Password expiration notifications are an essential component of proactive security measures, balancing the need for robust protection with user convenience.

When it comes to notifying users that their passwords are going to expire soon, more communication is always better. Users do not enjoy the password change process; keeping them informed as to when their password will expire is a great way to improve their experience. This blog will provide an overview on how you can configure password expiration notification settings for Active Directory users.

Why do we need to notify end users about password expirations?

Password expiration notifications play a crucial role in maintaining robust security practices for end users. They serve as timely reminders to update passwords regularly, a habit that lies at the heart of good security hygiene. By prompting users to change their passwords periodically, these notifications help safeguard accounts from unauthorized access, particularly in cases where a password might have been compromised without the user’s knowledge.

Advance notifications prevent the inconvenience of sudden account lockouts, which can disrupt workflow and cause frustration, especially in professional environments. They also provide an opportunity to educate users about creating stronger, more secure passwords, thereby enhancing overall security. Additionally, these notifications foster a culture of security awareness among users. They remind users of their responsibility in maintaining cybersecurity and can help protect against threats like credential stuffing attacks, where hackers use stolen credentials from one platform to attempt logins on others.

Guide to manually configuring password expiration notifications

Active Directory supports notifying users of upcoming password expiration, but only when they are logged into domain-joined client systems connected to the corporate network.

The configuration for these notifications lives in Group Policy, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Prompt user to change password before expiration.

Either set this in your Default Domain Policy or create/use another GPO and configure how many days before expiration the user should be notified.

But what about users who are not regularly on domain joined machines on the network? What if you want to have increased control of when users are notified, or what information you provide as part of the notification (e.g. the password policy requirements).

Many administrators will turn to scripting to find the users with upcoming expiration and generate emails.

PowerShell script for password expiration notifications

The following PowerShell script will list all users whose passwords are expected to expire based on the threshold set on the first line, as well as the exact time in UTC that their password will expire. The results are then used to generate email messages to users whose passwords are about to expire.

$daysbeforeexpirytonotify = 14  
$now = (get-date).ToUniversalTime().ToFileTime()  
$threshold = (get-date).ToUniversalTime().adddays($daysbeforeexpirytonotify).ToFileTime()  
$users = Get-ADUser -filter { Enabled -eq $True -and PasswordNeverExpires -eq $False } `  
                    –Properties "msDS-UserPasswordExpiryTimeComputed",mail `  
                    -searchbase "OU=Users,OU=Specops,DC=specopsdemo1,DC=com" |   
   where { $_."msDS-UserPasswordExpiryTimeComputed" -lt $threshold -and `  
           $_."msDS-UserPasswordExpiryTimeComputed" -gt $now } |   
   Select-Object "Name",  
                 "Mail",  
                 @{Name="ExpiryDate";Expression={  
                       [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")  
                       }  
                 },  
                 @{Name="DaysToExpiry";Expression={  
                        [int](($_."msDS-UserPasswordExpiryTimeComputed" - $now) / 864000000000)  
                        }  
                 } |  
    sort-object name  
  
$users  
  
foreach ($user in $users) {  
    send-mailmessage -from "it@specopsdemo1.com" `  
                     -smtpserver mail.specopsdemo1.com `  
                     -to $user.mail `  
                     -subject "Your password will expire in $($user.daystoexpiry) days" `  
                     -body "Your password will expire at $($user.expirydate) (UTC)."   
}

Drawbacks to manually setting up notifications

Manually setting up password expiration notifications can present challenges for IT administrators. One of the primary issues is the time and effort required to configure these notifications for each user or group within the system. In large organizations with numerous employees, this task can become incredibly labor-intensive, diverting IT resources from other critical tasks.

Consistency is another significant challenge. Manual setup increases the risk of human error, which can lead to inconsistencies in notification settings. Some users might receive notifications too frequently, leading to notification fatigue, while others might not receive them often enough, compromising security.

Additionally, manual processes can make it difficult to track and manage notification schedules. IT admins may struggle to keep records of when notifications were last sent, who has been notified, and who has complied with the password change requests. This lack of visibility can hinder effective security management.

Furthermore, manual setup often means that the notification content and timing are static, lacking the flexibility to adapt to different user roles, behaviors, or evolving security threats. For instance, IT admins might want to send more frequent notifications to users with higher access privileges or those whose accounts have shown suspicious activity.

Manual processes can also be challenging to scale. As the organization grows and more users are added to the system, the complexity of managing manual notifications increases exponentially, making it an unsustainable long-term solution.

How can third-party tools help reduce the workload?

Administrators may find that scripting a custom solution to notify users of password expiration could become difficult to maintain and support. Automated systems can streamline the process of setting up and managing password expiration notifications, reducing the administrative burden and enhancing security efficiency.

In this case you may wish to implement a third-party solution such as Specops Password Notification, and Specops Password Policy that’s built to handle the entire process in a simple graphical interface. You can also enable on-screen notifications to encourage users to change or reset their own passwords prior to expiration. With these solutions, it really is as simple as specifying the alert threshold and entering your SMTP server settings.

You can even automatically include a list of your Password Policy rules in the email, as well as any additional messaging you may want to include.

Interested to see how Specops solutions could fit in with your organization? Contact us and we can set you up with a free trial.