In this blog, we see how to notify users via email when their password is about to expire.
Sometimes due to security purposes, you need to notify users when their passwords expire and change it. By reminding your users in advance to change their passwords through email, you can also eliminate several problems due to an expired password. This will also save them from frustration and save you time too.
Windows Logon Mechanism:
Authentication: Authentication is a user action. In this user supplies his log on credentials i.e. user name and password.
Authorization: In authorization, after providing the authentication credentials it decides the user is authorized to access the resources.
Interactive Log on – Using Local User Account or Domain User Account
Interactive Logon – When a user logs on to the computer using the Domain account or local user account.
Local User Account: The local user account is created under the Security Accounts Manager (SAM) of the local computer. It’s user information which is stored in local computer registry only, even if it is a network computer.
Domain User Account: The domain user account is created in the Active Directory of the domain. Here users have access to the both resources i.e. local system and the domain.
How did password expiry notifications work in interactive logon?
For security reasons Password expiry implemented in which we force users to change their passwords periodically. Generally, we expect that all the users change their passwords when it came time to change, prior to its expiry to avoid IT help desk or administrator for password resetting. From Windows 98 onwards, all the Windows operating system, have the facility to remind users in advance for password expiry. Administrators can set password expiry notification and its configurations using Active Directory feature. Else you can edit the interactive logon policies by yourself.
Set yourself in advance how many days users need to be reminded of password expiry
For this you need administrative rights, then you can set how many days in advance the reminder message should appear or sent to the user by using the Local Group Policy Editor of your system. To do this follow the below steps:
-
- Click the Start > then Run, and enter gpedit.msc
- Click the Start > then Run, and enter gpedit.msc
-
- The Group Policy Editor appears, then expand its nodes -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies; then select Security Options.
- The Group Policy Editor appears, then expand its nodes -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies; then select Security Options.
-
- After this open the policy ‘Interactive Logon: Prompt user to change the password before expiration.’
-
- Now you can see the default value for this setting. Here you can change the value as per your requirement and then click Apply.
Prompt user to change the password before expiration setting to 14 days.
- Now you can see the default value for this setting. Here you can change the value as per your requirement and then click Apply.
-
- If you need to know more about this setting, just click the Explain This Setting tab.
- If you need to know more about this setting, just click the Explain This Setting tab.
- You can also modify some more Interactive logon settings if required. To learn or know more about each setting just check Explain This Setting tab of the corresponding policy window.
Now users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
Administrators can configure password settings – Active Directory administrators can use Group Policy Settings to configure many password related policies at the domain level.
Script Password Expiry Email Notification
Sending custom “password is about to expire” notifications with PowerShell