Hey everyone! I'm trying to enhance our user experience regarding password expiration. Often, users forget to change their passwords until it's too late, leading to helpdesk tickets and frustration for all involved. I'm looking to set up an automated system that alerts users when their passwords are nearing expiration (like 15 days in advance). Here's what I'm aiming for:
- Pull password expiration dates from Active Directory
- Send reminders at multiple intervals (15, 7, 3, and 1 day before expiration)
- Use our email server for notifications (preferably with nice HTML formatting)
PowerShell is a tool I usually prefer, but I'm open to any suggestions for scripts, tools, or workflows that have worked for you in your organizations. Thanks!
5 Answers
A different approach is not notifying users at all. Users become reliant on reminders and may fall for phishing attempts, thinking they’re legitimate. It's a risk that some organizations are avoiding.
Here's a simple script I’ve shared before for sending reminders using PowerShell. It sends emails about 7 days before the password expiry. Make sure user profiles in AD have their emails configured correctly. It's a solid starting point!
For Office 365, the SMTP settings are generally smtp.office365.com on port 587 for outgoing mail.
Many recommend against enforcing password expiration. Organizations like Microsoft and NIST advise against it because it can lead to users creating weak passwords. If you're looking to encourage better security practices, consider enforcing multi-factor authentication instead.
There are tools like Specops or ManageEngine that can help you send reminders about password expiration. They allow you to set reminders at various intervals, so it’s worth looking into those options!
I actually use PowerShell for this. I send notifications starting 14 days before expiration, then every morning for the last week leading up to the deadline. It keeps users informed without overwhelming them.
Thanks! Could you point me to more details on how to set up the SMTP server part in the script?