Identifying Specops Password Notification GPOs
In this article we will review how to identify Group Policy Objects (GPOs) in your Active Directory that contain Specops Password Notification settings.
Specops Password Notification uses user-based GPOs to target users for password expiration notifications. However unlike traditional GPO settings, Password Notification settings may not appear in standard group policy analysis tools such as gpresult. The easiest way to identify GPOs containing Password Notification settings is to search AD for GPOs containing the Password Notification extension GUID — this is the same way the Password Notification Server looks for these GPOs. The following commands will return the name (GUID) and displayname of each GPO containing Password Notification settings:
$adsystemscontainer = $(get-addomain).systemscontainer
get-adobject -searchbase "CN=Policies,$adsystemscontainer" -filter { gPCUserExtensionNames -like "*{58F8C91C-E65C-47B3-8897-53CD0A5DDD70}{372A7729
-90AE-4B93-920F-99D7CC1B2202}*" } -properties displayname | select name,displayname
For example:
PS C:\> $adsystemscontainer = $(get-addomain).systemscontainer
PS C:\> get-adobject -searchbase "CN=Policies,$adsystemscontainer" -filter { gPCUserExtensionNames -like "*{58F8C91C-E65C-47B3-8897-53CD0A5DDD70}{372A7729-90AE-4B93-920F-99D
7CC1B2202}*" } -properties displayname | select name,displayname
name displayname
---- -----------
{A5A969A7-C520-4E35-B187-92AB606B875F} Specops Password Notification
{27256A5F-A23B-4050-970C-FA60AFC671CA} Specops Password Notification for Admins
From here we suggest using the Group Policy Management Console to confirm where these policies are linked or using gpresult to confirm if the policies are applied to specific users.