How to configure Specops Password Notification

In this blog post we will review some common configurations for Specops Password Notification. Password Notification is a tool for configuring and sending password expiration reminders to your users. This tool is especially useful for communicating with remote users who won’t receive the standard on-screen reminders when on-network.

This blog will assume you have already installed Specops Password Notification and have the Group Policy Management Console installed on the same server. If you need more guidance on that, check out our documentation.

Password Notification is configured via user-based Group Policy Objects (GPOs). Most organizations will use a single GPO for Password Notification settings for all users; however, always keep in mind you can add additional policies if you have slightly different requirements for different user bases, e.g. administrative accounts, outside contractors, different time zones, etc.

Within each GPO, you can choose on which day(s) prior to password expiration you would like to send out notifications, as well as the recipients and contents of the email sent out.

Password expiration email templates and sending frequency

The simplest example would be to set a policy to send an email notification each day before the password expires. In the case of this example, starting 10 days prior to expiration by setting the schedule to ’10-1’ as shown in the screenshot below.

The sender address and sender display name should be something that the users will recognize and not misidentify as spam. It may also be useful to use a real email address as the sender so that users can reply directly to the email with questions.

The default sender identified here by the %mail% placeholder will send the message to the user’s email address as configured on their AD account. The email priority, subject, and body can of course be tailored to your liking, but should include some call to action as well as some information on where to go with questions.

Another common example is to vary the email schedule. Emails can be less frequent starting say 14 days prior to password expiration, then ramp up both the frequency and the contents of the message. In this example we have two email templates configured. The first sends on days 14, 7, and 5-2 prior to password expiration. You can vary the schedule by entering individual days or ranges, each separated by commas. This example is otherwise identical to the first one above:

On the final day we turn up the volume of the message. Both the priority and contents are amplified as the user is now perilously close to their password expiration. We have also added a CC to notify the helpdesk that a user has waited until the final day to change their password, granting an opportunity for additional proactive action for the affected user.

Of course, you should tailor this to what makes sense for your organization. Are people commonly out for more than 2 weeks? Then you might want to start sending reminders earlier.

In each policy please also check the Date Format tab – by default Password Notification will localize the date format based on the regional and time zone settings on the Password Notification server, however you can change these. This might be another case where multiple GPOs are a good idea, as you can vary both the time zone as well as the language of the email text on a per-GPO basis.

Finally, in the SMTP configuration tab, ensure the configuration is valid for your SMTP server. Specops recommends using the service account authentication mode as well as enabling TLS for optimal security.

One final piece to consider is what time of day you would like to send out notifications. This is a global setting for the Password Notification server, and defaults to midnight in the server’s time zone as configured in Windows. It is also completely separate from the time zones configured in your group policies which only impact how the %PasswordExpirationTime% placeholder is displayed in the email for that GPO.

Many organizations find it best to send the email closer to the start of, or during business hours to improve visibility. To change this time when Password Notification start sending emails, we must configure it in the registry.

Under HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\Specops Password Notification\Server, modify the PollingTime value. The default is 00:00 (midnight) however any time is acceptable so long as it is specified in HH:MM 24-hour format. For example, to send the emails at 8:00 am local time:

To send them at 2:00 pm / 14.00 local time:

Once the value has been changed, you must restart the Specops Password Notification Server service for the change to take effect.

And with that, your password email reminders are set to go.

Haven’t downloaded it yet? Visit the Specops Password Notification page to download, or watch this video.

If you’d like to reduce the burden on your IT service desk even further, you might consider setting up a self-service password solution to enable your end-users to reset their passwords on their own. For remote users, our password reset tool can help even more by enabling end-users to reset their own locally cached expired credentials if necessary.

(Last updated on May 4, 2023)

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog