Password Expiration Notification Form

I have been tasked to create Prompt for our users logging into our terminal server farm where if their AD password is less than 6 days from expiring, they will receive a window prompt informing them of the expiration and with an option to Change their password or do it later.

The Windows Form is a no brainer which I will create with PowerShell studio. I will simply create a form that will do a Get-Date for today and then based on the user login, do a get-aduser for that user and then get the expiration date, get the difference date and if less than or equal to 6 days, display my windows form. One button will call the shell script to change their password and the other will just close the form.

My only issue is where do I launch this powershell form from? Each user uses a login script so do I launch it from there? I need to have them fully logged into their terminal server before they see the prompt. Do I use NetLogin and call my script that way?

Not really sure how to position this script (I will most likely have a full exe placed somewhere in our environment)

Doesn’t windows already do that?

you can set the amount of days when it prompts. Forgive me if I misunderstood.

The problem is that users are not seeing it and it results in a deluge of calls that their password has expired. We apparently need something more in their field of view.

Just an idea: What about using the task scheduler? There you can set up a trigger like “At log on” or “On connection to user session” and you can set up a delay if you need.

Brian, also what about a Email notification to your entire environment when their PW is less than xx days? We currently do this weekly when it is less than 14 days till expiration. The issue would be if you have a lot of users without email.

# Date when passwords are 14 days from expiration (date minus (90-14) days)
$DaysExpire = (Get-Date).AddDays(-76)
$users = get-aduser -Filter {(enabled -eq $True) -and (mail -like "*@*") -and (PasswordLastSet -le $DaysExpire) -and (PasswordNeverExpires -eq $false) } -properties givenname,sn,mail,PasswordLastSet,Enabled,PasswordNeverExpires,passwordexpired -server | where-object {$_.DistinguishedName -notlike "*,$ExceptionOUs" -and $_.passwordexpired -eq $false }

Then we run a foreach now this can probably be done a lot cleaner but this is the code we have been using:

foreach ($user in $users)

$FirstName = $user.givenname
$LastName = $
$emailaddress = $user.mail
$passwordSetDate = $user.PasswordLastSet
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject="Your password will expire in $daystoExpire days"

  $body = "Dear $FirstName $LastName,
Your Windows Account Password will expire in $daystoexpire days.

To change your password on a PC (must be connected to vpn or in a corporate physical location) press CTRL-ALT-Delete and choose Change Password...
If your phone or other device is receiving company email, don't forget to change your password on those devices too!

If you have difficulty changing your password or your account is locked out, please call HELPDESK at 1-800-555-5555.

Thank you,
Your IT Administrator

" Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High }

Hope this can help. Either way maybe look at how I get the user with PW’s expiring to figure out how to add it to the LOGIN script OLAF recommended which is a great option if you only care about the TS boxes.

As Don Jones would say, that’s an HR issue. It’s not unreasonable to expect them to see it and not let their passwords expire. However, why not just email them until they get the hint? Surely they don’t miss their emails too? Server side script that emails people with passwords expiring in n days or less, possibly getting more frequent as the day approaches? CC’ing the <insert scary person> for extra motivation?

This is a good idea, but there is a subset of clinics that do not have email for their staff.

I could do this as a task scheduler, but there are probably a total of 120 terminal servers. I would have to create the task on all and then updates/edits would have to be done on EACH. Ideally would want a centrally managed solution.

I’d like to share another idea you might discuss with your colleagues, security officers, managers … even Microsoft recommends to consider dropping password expiration policies.

This doc might not be about your target environment but I think that does not really matter for this topic.

Very interesting. Thanks for sharing Olaf