Administration

The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Notification settings in Group Policy Objects. The settings are stored as a part of the GPO. Managing Specops Password Notification settings in Group Policy allows you to control how and where the policies are applied.

Creating a configuration

  1. In the Group Policy Management Console (GPMC), create a new GPO or select an existing one that contains the users you want to notify.
  2. Open the Group Policy Editor by right-clicking on the GPO and selecting Edit.
  3. In the Group Policy Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Notification. Click Create Configuration.

If a configuration has previously been made, you will see an overview of the configuration when you click on the Specops Password Notification User Configuration. To edit an existing configuration, click on the Edit Configuration button. To delete a configuration, click the Remove Configuration button. Note that removing a configuration will delete all of the templates associated with that configuration.

Creating Email notification templates

Email notification templates are configurable email notifications that are sent to end users to inform them about an upcoming password expiration. These can be sent out at a particular day (for example, 3 days before password expiration), or within a certain interval (for example, 10 to 1 day(s) before password expiration). You can create as many email templates as you like. Note that the time of day the notifications will be sent depends on the configuration of the PollingTime registry setting (the default time is 00:00).

  1. In the GPO in question, create or Edit a configuration (please refer to the section above on how to create or edit a configuration).
  2. Click on Email notification templates in the left navigation.
  3. Click the New button to create a new template.
  4. Fill out all the fields in the template:
    Note that new templates will be partially filled out with default content.
    1. Days: sets the number of days before password expiration. This can be a specific day (e.g. 3) or an interval (e.g. 20-10). Note that you can also combine multiple days and intervals, as long as you separate them by commas (e.g. 10-5, 1 for the interval 10 to 5 days prior to expiration and 1 day prior to expiration). If you want to send two different notifications (with different texts), you have to make two templates.
    2. Sender address: sets the address the mail is sent from. Note that the actual SMTP configuration for the email is set in the SMTP Configuration menu (see section below).
    3. Sender display name: sets the sender name displayed in the email.
    4. To: sets the email address of the recipient. This should usually be set to the %mail% placeholder to send it to the user in question.
    5. CC: sets the email address where a copy can be sent.
    6. Email priority: sets the priority of the email notification. Can be set to High, Normal, or Low.
    7. Subject: the email’s subject line.
    8. Body: the body text of the email.
Copying a template

Templates can be copied by selecting an existing template and clicking on the New Copy button.

NOTE
copies of templates need to be saved by clicking OK once you have made all of your changes. Clicking Cancel will result in the copy being deleted.
Deleting templates

Templates can be deleted by selecting the template you want to delete and clicking the Delete button.

Placeholder text

In most template fields placeholder text can be input, which are variables that will be replaced by relevant values specific to the end user the email is sent to. So, the text “Your password will expire in %TotalDaysLeft% days,” for a template set to an interval of 20-10 days (in the Days field above), will be sent to all affected users whose password will expire in between 20 to 10 days, and will be converted to “Your password will expire in 12 days.” for a user whose password will expire in 12 days, while it will say “Your password will expire in 19 days.” for users whose passwords will expire in 19 days.

To insert placeholder texts, right-click inside the field where you want to insert the placeholder, and choose from the list that appears.

The following placholders are available:

  • %mail%: end user’s email address.
  • %TotalHoursLeft: number of hours left before password expiration.
  • %TotalDaysLeft%: number of days left before password expiration.
  • %HoursLeft%: number of hours left on the last day before expiration. This can be used in conjunction with %TotalDaysLeft% to give a more precise expiration time. E.g. “Your password will expire in %TotalDaysLeft% days and %HoursLeft% hours.”
  • %PasswordExpirationTime%: the expiration date and time displayed in the Timezone set in the Date Format configuration; the format is determined by the Region for date format.
  • %PasswordExpirationTimeUtc%: the expiration date and time displayed in UTC time. Note that this placeholder is a legacy placeholder and will be phased out in future versions; it will also not appear in the right-click menu.

Configuring SMTP settings

SMTP settings need to be configured before the configuration can be saved.

  1. In the GPO in question, create or Edit a configuration (please refer to the section above on how to create or edit a configuration).
  2. Click on SMTP Configuration in the left navigation.
  3. Fill out all the fields in the configuration:
    1. SMTP Server Name: name of the SMTP server used for sending the notification emails.
    2. SMTP Port Number: port used for SMTP communication (default is Port 25).
    3. Authentication Method: sets how the user account is authenticated when sending emails by SMTP.
      As the service account (default): uses the credentials of the account that is running the service.
      Custom Credentials: uses the username and password in the fields underneath
      Anonymous: same as the service account, but the address is not shared with the recipient.
    4. User name and Password: used when Custom Credentials above is chosen.
NOTE
the account chosen must have the correct privileges to send mails via SMTP.

Configuring date and time

The date format and time settings determine how the %PasswordExpirationTime% placeholder is converted.

  1. In the GPO in question, create or Edit a configuration (please refer to the section above on how to create or edit a configuration).
  2. Click on Date Format in the left navigation.
  3. Fill out all the fields in the configuration:
    1. Region for date format: determines the formatting of the date for the %PasswordExpirationTime% placeholder.
    2. Timezone: sets the timezone for the %PasswordExpirationTime% placeholder.
NOTE
Make sure you pick a region and timezone that corresponds to the users affected by the GPO. If your users are located in different regions/time zones you may want to create multiple GPOs for different user groups with the corresponding settings.

Applying policy settings

Specops Password Notification will read the maximum password age at a time determined by the PollingTime registry setting. This is also the time when notifications are sent out to users matching the criteria for notification. The default time is 00:00.

The password policy will apply to all user accounts in locations where your GPO is linked.

If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed. If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; The GPO closest to the user object in AD will have the highest precedence:

  • Local Group Policy Objects
  • Site linked Group Policy Objects
  • Domain linked Group Policy Objects
  • OU linked Group Policy Objects

If the above order does not enable you to apply your preferred settings, you can use security filtering to control on a permission level which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings to objects located on the same level in Active Directory.

Specops Password Notification with Specops Password Policy

NOTE
If you are a Specops Password Policy customer, you might have password expiration emails already configured to send in your Password Expiration settings. Please check your Specops Password Policy notification settings before configuring Specops Password Notification to avoid possible conflicts.

For users using Specops Password Notification together with Specops Password Policy, note that Password Notification will take account of the length-based password aging feature in Password Policy. Length-based aging encourages users to create longer and more secure passwords, and rewards them for doing so, by giving them extra time before their passwords expire.

NOTE
in order for Specops Password Notification to be able to read custom expiration settings, the service account used for running the Specops Password Notification server must be a part of the security group configured for custom expirations in Specops Password Policy. To find the correct security group, access the Specops Password Policy Domain Administration and go to Domain Settings. The Security Settings section will display the information for the correct security group.

More information on length-based password aging can be found here.

The number of days set in the Specops Password Notification configuration will reference the password
expiration date dictated by the length of the user’s password.