Users do not receive Password Notification Emails
In this article we will review the general troubleshooting process if users are not receiving password expiration warning emails sent by Specops Password Notification.
For all Password Notification issues, we will begin by checking the Windows Application event log for any errors or warnings with source Specops Password Notification Server, Under normal operation you should see three events logged once every 24 hours with event IDs 105, 106, and 104
Event ID 105 will confirm the scope of management, domain controller used:
Start checking for expiring user passwords. Scope of management: 'OU=Demo Users,DC=demo,DC=com' Using domain controller: 'DC01.demo.com' Search page size: '1000'
Confirm the scope of management is accurate; this should be the distinguished name of either the entire domain or a single OU that contains all user accounts that you wish to notify for password expiration. If the scope of management needs to be changed, it is configured in the registry. Set the value to the appropriate LDAP path and restart the Specops Password Notification Server service for the change to take effect:
[HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\Specops Password Notification\Server] "ManagementLevel"="LDAP://OU=Demo Users,DC=Demo,DC=com"
It is at this stage that the Password Notification server will log an error in each case where a user should have been sent a password expiration email but some error condition prevented sending of the email; for example:
Common issues you might see here are errors indicating the Password Notification server was unable to communicate with the mail server, or that a SMTP error code was received, in which case you should confirm the mail server settings in your Password Notification GPO, that the mail server is reachable on the specified port from the Password Notification server, and that the proper authentication method for your mail server is configured. Please inspect each error message here for details on why a particular notification email could not be sent.
Finally, Event ID 106 will confirm a completed scan of all users for password expiration and a summary of results:
Finished checking for expiring user passwords. Number of users within the scope of management: '58' Number of users affected by a GPO: '58' Number of affected users with passwords that can expire: '2' Number of users that should receive a notification: '2' Number of emails sent: '2'
Check the number of users affected by a GPO. If this number does not appear accurate, verify which GPO was used for Specops Password Notification and ensure that it is linked to the correct OUs and scoped to either Authenticated Users or the correct security groups via the Group Policy Management Console in Windows Administrative Tools.
If the user accounts are correct but the number of emails sent seems low, check your GPO configuration to see what days emails will be sent out prior to expiration. We would also suggest reviewing the article here to confirm when users passwords are expected to expire in Active Directory and/or Specops Password Policy.
If it appears emails were sent (no errors prior to Event ID 106, numbers in Event ID 106 look reasonable) but the notification emails were not received, this indicates that emails were sent successfully but not delivered, often due to spam filtering or some other security mechanism blocking the emails, or possibly a service disruption within your email system. Please investigate and confirm mail flow and delivery beginning with the SMTP server configured in Specops Password Notification.