How to configure password expiration notifications

When it comes to notifying users that their passwords are going to expire soon, more communication is always better. Users do not enjoy the password change process; keeping them informed as to when their password will expire is a great way to improve their experience. This blog will provide an overview on how you can configure password expiration notification settings for Active Directory users.

Active Directory supports notifying users of upcoming password expiration, but only when they are logged into domain-joined client systems connected to the corporate network.

The configuration for these notifications lives in Group Policy, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Prompt user to change password before expiration.

Either set this in your Default Domain Policy or create/use another GPO and configure how many days before expiration the user should be notified.

But what about users who are not regularly on domain joined machines on the network? What if you want to have increased control of when users are notified, or what information you provide as part of the notification (e.g. the password policy requirements).

Many administrators will turn to scripting to find the users with upcoming expiration and generate emails.

The following PowerShell script will list all users whose passwords are expected to expire based on the threshold set on the first line, as well as the exact time in UTC that their password will expire. The results are then used to generate email messages to users whose passwords are about to expire.

$daysbeforeexpirytonotify = 14  
$now = (get-date).ToUniversalTime().ToFileTime()  
$threshold = (get-date).ToUniversalTime().adddays($daysbeforeexpirytonotify).ToFileTime()  
$users = Get-ADUser -filter { Enabled -eq $True -and PasswordNeverExpires -eq $False } `  
                    –Properties "msDS-UserPasswordExpiryTimeComputed",mail `  
                    -searchbase "OU=Users,OU=Specops,DC=specopsdemo1,DC=com" |   
   where { $_."msDS-UserPasswordExpiryTimeComputed" -lt $threshold -and `  
           $_."msDS-UserPasswordExpiryTimeComputed" -gt $now } |   
   Select-Object "Name",  
                        [int](($_."msDS-UserPasswordExpiryTimeComputed" - $now) / 864000000000)  
                 } |  
    sort-object name  
foreach ($user in $users) {  
    send-mailmessage -from "" `  
                     -smtpserver `  
                     -to $user.mail `  
                     -subject "Your password will expire in $($user.daystoexpiry) days" `  
                     -body "Your password will expire at $($user.expirydate) (UTC)."   

Administrators may find that scripting a custom solution to notify users of password expiration could become difficult to maintain and support. In this case you may wish to implement a 3rd party solution such as Specops Password Notification, and Specops Password Policy that is built to handle the entire process in a simple graphical interface. You can also enable on-screen notifications to encourage users to change or reset their own passwords prior to expiration. With these solutions, it really is as simple as specifying the alert threshold and entering your SMTP server settings.

You can even automatically include a list of your Password Policy rules in the email, as well as any additional messaging you may want to include.

For more information about password notification, and our self-service password reset solution, contact us.

(Last updated on September 23, 2021)

Tags: , ,

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog