In an environment where every computer that you have is a PC and every computer is attached to your domain, password expiration is handled for you. If a users password is about to expire they are notified every time they log on and are forced to change it after it has expired.
Today, a network full of PC’s isn’t always feasible and, in some cases, adding the machine to the domain isn’t acceptable. I have worked in environments where every user had a laptop which could not be added to the domain. I have also worked in an environment where there were just as many Macs as PCs. I had to answer a question that I feel many admins will have to face in the next few years:
How do you manage password expiration for users that cannot be added to the domain?
There are a few restrictions that I placed on myself for this:
1) The solution should have a minimal impact on security.
2) The solution should preserve the use of SSL IMAP and SSL STMP for the users that require it.
3) The solution should require minimal maintenance.
4) The solution should be automated.
My answer to this was an automated password expiration email reminder and enabling password changing through OWA.
Scouring the web, I found a few pay for solutions, but I truly felt like this should be a feature that was included within windows.
Then I came across this:
It seemed perfect, if it worked.
After a bit of research I got the script to work and added a few things to it. The download link is below and the configuration options are as follows:
'Script Configuration Options
Const EMAIL_SERVER = "exchange.domain.local"
Const EMAIL_FROM = "firstname.lastname@example.org"
Const OWA_STRING = "at https://exchange.domain.com"
Const FIRST_REMINDER_DAY = 10
Const START_REMINDER_DAYS = 7
'Where log files will be stored
'Remember to end with
Const LOG_PATH = "C:EMAIL_REMINDER"
'This setting allows you to append the date to the log file so that you get an Archive
Const APPEND_DATE = 0
'SET DEBUG MODE to 1 to send all emails to debug_email
DEBUG_MODE = 1
DEBUG_EMAIL = "email@example.com"
EMAIL_SERVER sets the SMTP server that the email should be sent through
EMAIL_FROM sets the from address
OWA_STRING sets the owa address
FIRST_REMINDER_DAY sets the first day that the reminder should go out
START_REMINDER_DAYS sets the first day that the user should receive continuous reminders until the password has expired
In this case, the user would receive a reminder 10 days before the password expired and then on the 7th, 6th, 5th… until the password did expire.
LOG_PATH sets where the logs will be stored
APPEND_DATE allows you to append the run date to the end of the log so that you can have an archive
DEBUG_MODE sends all of the emails to the DEBUG_EMAIL if it is not set to 0
DEBUG_EMAIL is where you would get the password expiration emails if DEBUG_MODE is set
Set this vb script to run as a scheduled task under a domain admin account every day and your users will now get password expiration emails.