Specops Password Notification Sending Emails on The Wrong Day
In this article we will review what to do if you find that Specops Password Notification is sending email alerts as if users password would expire based on the Default Domain Policy and appears to be ignoring a different expiration policy in either an AD Fine-Grained Password Policy or a Specops Password Policy with Length-based Password Aging configured. In both cases, this is likely due to the Specops Password Notification Server service account lacking the proper permissions in Active Directory to read the relevant settings. Here we will review the permissions required for these features to work properly with Specops Password Notification.
First we must identify the service account used by Specops Password Notification via the services MMC in Windows, for example:
Fine-Grained Password Policies
Fine-Grained password policies in Active Directory enable modifying the maximum password age for users within the context of native Active Directory settings. A user affected by a fine-grained password policy may have a maximum password age that is different from the maximum password age defined in the default domain password policy. However, permissions to read the fine-grained password policy configuration are restricted to key administrative groups in Active Directory e.g. Domain Admins, and so a non-domain-admin service account typically used by Specops Password Notification will not be able to read the configurations here and therefore will be unable to consider them when generating email reminders.
We will need to explicitly grant the Password Notification service account read access to the Password Settings container using the Active Directory Users and Computers MMC. Be sure to enable Advanced Features in the View menu in AD Users and Computers in order for these settings to be visible there:
Right-click on the Password Settings Container under the System container in AD and select Properties:
Go to the Security tab and click the Advanced button:
Click the Add button:
Set the principal to your service account. Verify the type dropdown is set to Allow and the Applies to dropdown is set to ‘this object and all descendant objects.’ Scroll all the way to the bottom to find and click the button to clear all permissions, then scroll back to the top and check ‘list contents’ and ‘read all properties.’ Click OK on this dialog and all parent dialogs until back in AD Users and Computers.
Specops Length Based Password Aging
If using Specops Password Notification in environments where Specops Password Policy is enabled and the length-based password aging feature is configured, the Specops Password Notification service account must be a member of the length based password aging reader group. To identify the group used for this, check the Password Policy Domain Administration console from a machine with the Password Policy admin tools installed:
After adding the Password Notification service account to this group, restart the Specops Password Notification Server service.