If you have managed an Active Directory installation that has a large number of users who connect to the network infrequently, you may have faced a problem where the user’s password expires when they are away from the network and possibly leaving them in a situation where they are not able to reset their password remotely.
I recently was in this situation and had to write a script to intimate users about an impending password expiry. Here is what the script does:
The script queries your domain for all users and checks for the last password change date. This value is compared against you max password age value and then sends an email reminder to the user that is password is about to expire in x days. This email reminder is sent 9, 6 and 3 days before the actual password expiry date, giving the user enough time to reset the password without getting locked out.
You can schedule the script to run every day in which case you will need to write a simple batch file to call this script and maybe even log the output to a file. The script can be run under the system account. You can save the following line as a batch file that can be used to call the script:
cscript “Path\to\the\vbs\script” > PwdExpyEmail.log
You can download the script here.
Note: You will have to edit the values between the **** to suit your environment.
Related posts:
#1 by Mike T on August 18, 2009 - 7:46 PM
Thank you again
By the way, I too, drive a Honda del Sol out here in California.
Thanks
Mike T
#2 by Sheen on August 11, 2009 - 4:25 PM
@Mike,
Sorry for the delay in replying…
Yes there is a simple way of getting that done -
Instead of this:
cscript “Path\to\the\vbs\script” > PwdExpyEmail.log
Use:
cscript “Path\to\the\vbs\script” > %DATE%%TIME%.log
This will create a new log file every run with the date and time stamp of the run time.
Sheen.
#3 by Mike T on July 30, 2009 - 2:37 AM
This script is fantastic. Is there an easy way to modify the script or batch file to rename the file so that it doen’t get overwritten, or to just email the output to the help desk?
#4 by Sheen on July 28, 2009 - 7:57 PM
@Mike,
Glad to know it worked!
Sheen.
#5 by Mike T on July 28, 2009 - 7:33 AM
I must have had a typo first time through. Redid the batch file and all is well.
Thank you
#6 by Sheen on July 23, 2009 - 8:31 AM
@Mike,
Can you try this: cscript “Path\to\the\vbs\script” > PwdExpyEmail.log
This should properly execute the script.
I think right now, you are executing the script by double clicking on it.
Do try this and let me know.
Sheen.
#7 by Mike T on July 23, 2009 - 7:57 AM
Thanks for the reply. I have changed the 3 to 180. I see nothing in the log, rather I get 3 screen popups for each account from Windows Script Host. The first gives the user name and email information. Second is Password last changed date and time. Third is password changed X number of days ago. Previously, I also saw a popup stating an expired user was emailed. I have to manually clear each popup.
Thanks, Mike T
#8 by Sheen on July 21, 2009 - 7:07 AM
@Mike,
You will need to edit the value of PasswordExpiry=3 to a value that matches the actual ‘Max Password Age’ value for your domain.
Could you let me know what ’screen popups’ we are talking about?
I just tested the script again and found that all email events are getting logged.
Do let me know if nothing is getting logged at all.
Sheen.
#9 by Mike T on July 20, 2009 - 3:19 PM
Hi,
I have run your script. It notifies users that have just changed password today (0 days). Is ther a way to modify the script to prevent this? Also, how can I turn off the screen popups? I had 2 userswho had just changed password and received email. These events were not logged.
Thanks for any help,
Mike T