Reference Material | Notifications

Specops Password Policy can send out a number of notifications related to password expiration and password rule compliance. This section explains the bvarious options and settings associated with these notifications.

Types of notifications
  • Expiration email notification
    Sent out at a specific time prior to the user’s password expiration.
  • Breached Password Protection Complete email notification
    Email sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Complete text notification
    Text message sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Express email notification
    Email sent out to inform users that their password matches one found in the Breached Password Protection Express database after that database was updated.

Please refer to the sections below for more information on the different notifications.

Domain Administration Tool Settings (SMTP)

The Domain Administration tool controls the SMTP settings for all outgoing emails from Specops Password Policy (with certain exceptions listed below).

Note: It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.

SMTP settings

In this section the global SMTP settings are configured. These are the SMTP settings for all outgoing emails.

  • SMTP Server
    The name of the SMTP server used. The emails are sent from the domain controllers where the Sentinel is installed.
  • Use TLS (Encryption)
    Transport-Level Security. Check this option if youn want to enable encryption for outgoing mail. Note that whenever TLS is enabled, the port will automatically be set to port 587.
  • Port
    Defaults to Port 25. If another port is to be used for outgoing emails, it can be set here.
  • Authentication
    There are three levels of authentication that can be set:

    • Anonymous access (no authentication)
    • Basic authentication (username and password; both fields will appear when this option is selected)
    • Integrated Windows authentication (the computer accounts of the domain controllers where the Sentinel is installed will be used for authentication. The SMTP server has to be set up such that it allows requests from domain controller accounts.)
  • Default Sender Email Address
    The deault address notifications are sent from
  • Default Sender Display Name
    The display name for sent notifications.

Editing SMTP Settings

  1. Click the Edit button for the SMTP Settings.
  2. Fill out all the necessary fields in the pop-up window.
  3. Click the Test Settings… button, fill in a valid email address in the To field, then click Send to test the settings.
    Note: The sending of test emails is only supported locally on the domain controller. Domain Administration running on computers other than the domain controller, will not be able to send test mails.
  4. Click OK.

Custom User Attributes

If email and mobile number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden in the Custom User Attributes section of the Domain Administration tool, which allows the system to reference the correct attributes. Use the exact attribute name as is listed in the Attribute Editor in AD to override the default attributes.

Expiration email notifications

Specops Password Policy can be configured to send out email notifications at a determined time before the user’s password is set to expire. These mails can be enabled and configured in the Group Policy snap-in. Since these emails are configured in the Group Policcy snap-in, there can be different email configurations for each GPO.

Configuring password expiration notifications

  1. [Optional] Check the Notify at login option
    This will show the user when their password will expire at the Windows login screen.
  2. Check the Send email notification option
  3. Set the number of days before password expiration when the notification is to be sent.
  4. Set the Notification language
    This setting will determine in which language the Placeholder texts will be presented to the user.
  5. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  6. To Email and CC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  7. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  8. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom of the notification field. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)

There is also the option to edit the email in HTML code by clicking the HTML button.

Breached Password Protection Complete email notifications

If Breached Password Protection Complete has been enabled, it can be set up to notify users whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete email notifications

  1. Check the Send emails to users with breached passwords option
  2. Set the desired Email transport mode
    There are two options for sending outgoing emails:

    • Specops online service: emails are send via the cloud (SendGrid)
    • SMTP: outgoing mails use the global SMTP settings configured in the Domain Administration tool
  3. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  4. To Email and CC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  5. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  6. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)

There is also the option to edit the email in HTML code by clicking the HTML button.

Breached Password Protection Complete text message notifications

Same as with Breached Password Protection Complete email notifications, users can be sent a text message whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete text message notifications

  1. Check the Send text message to users with breached passwords option.
  2. [Optional] Check the Default mobile number country code option, and insert the country code to be used.
    In case the mobile number in Active Directory (whether that is stored in the mobile attribute or another attribute referenced through the Custom User Attributes in the Domain Administration tool) does not start with a + (plus), the system automatically adds the Default country code if this option is checked. Thus, 070 123 4567 with a Default mobile number country code setting of +46, will be converted into +46 70 123 4567.

    Note that in case the international phone format in AD is written with an international prefix, e.g. 00, the conversion will not work properly. For example, if the phone number in the above example was input as 00 46 70 123 4567, and the default country code option was checked with a setting of +46, the resulting number would be +46 0 46 70 123 4567, which would be incorrect.

  3. Alter the text to be included in the text message in the Text message field. To include placeholders, use the (Insert Placeholder) dropdown.
Breached Password Protection Express Notifications

When Breached Password Protection Express is enabled, users can be notified by email when their current password has been found in the Breached Password Protection Express database after the database has been updated.

Configuring Breached Password Protection Express Dictionary

  1. Check the Force users to change leaked passwords when the Breached Password Protection Express list is updated option.
    This will flag users’ accounts to force a password change at next login. Note that this box can only be checked if Breached Password Protection Express has been enabled by checking the Prevent users from changing to a leaked password option in the Breached Password Protection Express section.
  2. Check the Notify users when they are forced to change password option.
  3. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  4. To Email and CC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  5. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  6. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)

There is also the option to edit the email in HTML code by clicking the HTML button.

Placeholder texts

Placeholder texts can be used to insert dynamic information (such as password rules or the user’s email address) into notifications. Below is a list of all the placeholder texts available.

All placeholder texts (with the exception of those that only contain numbers) have been localized in the languages available in Specops Password Policy. The language presented to the user will depend on the setting for Notification language for the notification in question.

Note that not all Placeholders are available for all notifications. The ones available to all notifications have been indicated with an asterisk.

%UserEmail% : user’s email address

%SamAccountName% : user’s samAccountName-attribute in AD*

%Upn% : user’s userPrincipalName attribute in AD*

%DisplayName% : user’s displayName attribute in AD*

%DynamicExpirationInfo%: e.g. “Your password will expire in 3 days”

%PasswordRules% : list of rules set in the configuration

%DaysUntilExpiration% : days until password expiration (1,2,3,4 etc)

%PasswordRulesHeader% : “Your new password must meet the following requirements:”