This is a place for Systems Administrators and IT Professionals to find and share ideas, solutions and templates. If you have something that helps you solve a problem, chances are it will help someone else too. So pay it forward and send an email to TheAgreeableCow at gmail. Full mudos to you!

Wednesday 13 June 2012

Preventing Password Expirations with Custom Emails and Reports

One of the big sources of calls to the Helpdesk department is the fallout from expired passwords. Generally users will get a Windows message box at login warning about this, but I find that this basic prompt doesn't always work in practise. Firstly, by default it pops up way too early and is often more annoying for your users. Secondly, most people just tend to ignore it and often continue to do so until it is too late. Also, for environments that use Citrix published apps or terminal services sessions, there can be some delays in password replications and conflicts if users change their password at logon. This can lead to account lockouts and even more Helpdesk calls! Finally, if you happen to turn on some group policy features, this warning simply will not show up at all.

So, this project is about contacting your users via email and advising them with your own clear message that their passwords are about to expire. At the same time generate a simple report for the administrator, giving them a heads up to potential issues. The original script was sourced some time ago, so if I find the originator, I'll be sure to pass on all mudos.

Also note, that this script uses Quest's ActiveRoles. You can of course easily customise and use the native AD module. Once you're happy, set it up as a daily scheduled task. Ideally do this late in the afternoon, to remind users just before they are about to log off. Also have a look at customising the messages within the emails. You do want to keep this simple but informative. Keep in mind that since passwords can be sensitive and phishing is so easy, you don't want to establish bad behaviours (such as clicking on a hyperlink).

There are three broad sections in the script. The first is to email users whose passwords have expired. I find this a little counter intuitive, but some environments might find this handy. Perhaps they might still have Blackberry working or you might want simply want to send it as a record with information about how to avoid next time.

The second section is where it sends an email to each user whose password is expiring within your designated time. Personally I set this as less than 5 days. This is enough to cover weekend and part timers, but not so repetitive that it becomes annoying. Additionally, you might also have system accounts, so in these cases (where their isn't a valid email recipient), it will send the email to the administrator.

The final section is where it collects all of the users whose passwords are about to expire and all of the users whose passwords have expired, and wraps it up into a nice email report for the administrator. This can be handy, because you can see the people that are ignoring their emails as they just keep showing up in that report! A quick proactive phone call would be much appreciated by the user and the Helpdesk.

Here's the full script.

         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^

No comments:

Post a Comment