Notifications

Specops Password Policy can send out a number of notifications related to password expiration and password rule compliance. This section explains the various options and settings associated with these notifications.

Types of notifications


  • Expiration email notification
    Sent out at a specific time prior to the user’s password expiration.
  • Breached Password Protection Complete email notification
    Email sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Complete text notification
    Text message sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Express email notification
    Email sent out to inform users that their password matches one found in the Breached Password Protection Express database after that database was updated.
  • License emails
    Emails sent out to Specops and administrators containing licensing information.

Please refer to the sections below for more information on the different notifications.

Email Sending System


Notifications can either be sent through the Sentinel or through the Arbiter. Since the Sentinel Service is installed on all writable domain controllers, using the Sentinel to send notifications necessarily means that these domain controllers must be open to the internet in order to send mails. In cases where this is not desired, the Arbiter can be used to send notifications. The Arbiter also needs to be open to the internet, but since it is recommended that Arbiters are installed on servers that are not domain controllers, this means that the DC is not open in the same way.

Sentinel Service

The Sentinel Service is the default email sending system for Specops Password Policy.

WARNING
Since the Sentinel Service is installed on all writable domain controllers, all domain controllers must be allowed to send SMTP traffic directly to the configured SMTP server. If you prefer to have SMTP traffic originate from a member server, you can configure Password Policy to use your Arbiter(s) for sending email.

Arbiter

The Arbiter can be used as an email sending system (provided the Arbiter is installed on a server that is not a domain controller). The Sentinel Service is still involved in the sending of notifications, but only to the Arbiter, not directly over SMTP. Note that the Sentinel Service drops off SMTP emails to the Arbiter and then exits. It does not check whether or not the emails have been delivered.

NOTE
If you are using the Arbiter only as an email sending system (i.e. not to enable Specops Breached Password Protection), you do not require an API key.

Changing the email sending system

You can change the email sending system in the SMTP settings in the Domain Administration Tool.

  1. In the Domain Administration Tool, go to Domain Settings, then click Edit in the SMTP Settings section.
  2. Click on the Email Sending System dropdown and choose which system you want to use.

More information on SMTP settings can be found in the Domain Administration Tool Settings (SMTP) section.

Domain Administration Tool Settings (SMTP)


The Domain Administration tool controls the SMTP settings for all outgoing emails from Specops Password Policy (with certain exceptions listed below).

NOTE
It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.

SMTP settings

In this section the global SMTP settings are configured. These are the SMTP settings for all outgoing emails.

  • Email Sending System: choose which system to use for sending emails (Sentinel Service or Arbiter). For more information on Email Sending Systems, see the Email Sending System section.
  • SMTP Server
    The name of the SMTP server used. The emails are sent from the domain controllers where the Sentinel is installed.
  • Use TLS (Encryption)
    Transport-Level Security. Check this option if youn want to enable encryption for outgoing mail. Note that whenever TLS is enabled, the port will automatically be set to port 587.
  • Port
    Defaults to Port 25. If another port is to be used for outgoing emails, it can be set here.
  • Authentication
    There are three levels of authentication that can be set:
    • Anonymous access (no authentication)
    • Basic authentication (username and password; both fields will appear when this option is selected)
    • Integrated Windows authentication (the computer accounts of the domain controllers where the Sentinel is installed will be used for authentication. The SMTP server has to be set up such that it allows requests from domain controller accounts.)
  • Default Sender Email Address
    The deault address notifications are sent from
  • Default Sender Display Name
    The display name for sent notifications.
  • Admin Notification Email Address
    Email used to receive license information and warnings. Make sure this is an administrator with the correct privileges to act on the information contained in the emails.

Editing SMTP Settings

  1. In the Domain settings menu, go to the SMTP Settings section.
  2. Click the Edit button for the SMTP Settings.
  3. Fill out all the necessary fields in the pop-up window.
  4. Click the Test Settings… button, fill in a valid email address in the To field, then click Send to test the settings.
    NOTE
    The sending of test emails is only supported locally on the domain controller. Domain Administration running on computers other than the domain controller, will not be able to send test mails.
  5. Click OK.

Custom User Attributes

If email and mobile number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden in the Custom User Attributes section of the Domain Administration tool, which allows the system to reference the correct attributes. Use the exact attribute name as is listed in the Attribute Editor in AD to override the default attributes.

Expiration email notifications


Specops Password Policy can be configured to send out email notifications at a determined time before the user’s password is set to expire. These mails can be enabled and configured in the Group Policy snap-in. Since these emails are configured in the Group Policy snap-in, there can be different email configurations for each GPO.

Configuring password expiration notifications

  1. Go to the Password Expiration tab.
  2. [Optional] Check the Notify at login option
    This will show the user when their password will expire at the Windows login screen.
  3. Check the Send email notification option.
  4. Set the number of days before password expiration when the notification is to be sent (only available if Send email notifications has been checked).
  5. From email and From name
    The contents of these two fields will be determined by what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  6. To Email, CC, and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  7. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  8. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom of the notification field. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)

There is also the option to edit the email in HTML code by clicking the HTML button.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Expiration text message notifications


Specops Password Policy can be configured to send out text message notifications at a determined time before the user’s password is set to expire. These text messages can be enabled and configured in the Group Policy snap-in. Since these emails are configured in the Group Policy snap-in, there can be different text message configurations for each GPO.

Configuring password expiration notifications

  1. Go to the Password Expiration tab.
  2. Check the Send Text message notification option in the Text Message Notification field.
  3. Set the number of days before password expiration when the notification is to be sent (only available if Send email notifications has been checked).
  4. Compose the text message body text.
    NOTE
    Placeholder texts can be used in the text message body as well. For a list of placeholders, see Placeholders below.
NOTE
To automatically include a default country code in case this is not included in the Active Directory entry, set the Default mobile number country code under General settings. For more information, please see the Administration page.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Complete email notifications (Continuous)


If Breached Password Protection Complete has been enabled, it can be set up to notify users whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete email notifications

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the online Complete API.
  3. Check the Email users when their passwords are found to be compromised option
  4. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  5. To Email, CC and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  6. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  7. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Complete text message notifications (Continuous)


Same as with Breached Password Protection Complete email notifications, users can be sent a text message whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete text message notifications

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the online Complete API.
  3. Check the Text users when their passwords are found to be compromised option
  4. Alter the text to be included in the text message in the Text message field. To include placeholders, use the (Insert Placeholder) dropdown.
NOTE
To automatically include a default country code in case this is not included in the Active Directory entry, set the Default mobile number country code under General settings. For more information, please see the Administration page.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Express Notifications (Continuous)


When Breached Password Protection Express is enabled, users can be notified by email when their current password has been found in the Breached Password Protection Express database after the database has been updated.

Configuring Breached Password Protection Express Dictionary

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the local Express list.
  3. Check the Email users when their passwords are found to be compromised option.
  4. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  5. To Email, CC and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  6. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  7. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Testing notifications


Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Placeholder texts


Placeholder texts can be used to insert dynamic information (such as password rules or the user’s email address) into notifications. Below is a list of all the placeholder texts available.

All placeholder texts (with the exception of those that only contain numbers) have been localized in the languages available in Specops Password Policy. The language presented to the user will depend on the setting for Notification language for the notification in question.

Note that not all Placeholders are available for all notifications. The ones available to all notifications have been indicated with an asterisk.

%UserEmail% : user’s email address

%ManagerEmail% : send email to manager about users with about to expire passwords

%SamAccountName% : user’s samAccountName-attribute in AD*

%Upn% : user’s userPrincipalName attribute in AD*

%DisplayName% : user’s displayName attribute in AD*

%DynamicExpirationInfo%: e.g. “Your password will expire in 3 days”

%PasswordRules% : list of rules set in the configuration

%DaysUntilExpiration% : days until password expiration (1,2,3,4 etc)

%PasswordRulesHeader% : “Your new password must meet the following requirements:”