Question:

On website AD login, how to remind user to change his AD password which is due for expiry?

Sebastian: 2 weeks ago

We are using SharePoint 2010.

The website is an intranet portal with AD username authentication. When user opens the site in IE, the login window popsup. When user enters username and password and clicks 'OK', we need to alert the user if his/her password is about to expiry in 20 days or less. How can we catch the login popups 'OK' click event?

What is best practice for this? Please note that we do not want to purchase/reuse solutions from codeplex /others, instead we need to create this from scratch for various reasons.

Other options:-

If we create a webpart on the homepage that queries AD and gives an alert message then problem is that if user enters URL of any other page besiedes homepage, then he will not get this popup unless he clicks on homepage.

If we use masterpage then the alert box will come multiple times.. This can be controlled by using user profile property, but is there any other simple way?

Answer:
Scarlett: 2 weeks ago

there is a little script on TechNet that solves this issue! no need for webparts.... webparts bring in other complications like when they are fine if you have a public open page that everyone first get to irregardless that contains the webpart on that page for login, when you login it will query ad if it needs change if it does than show the change part else login... but if your webpart is within a logged in area then how are they ment to change the password if its expired when the webpart is in a secured location you no longer have access to?

the script rather runs in the background similar to the timer job method:

This script will email a user in the event that their password is due to expire in X number of days.

Configure the SMTP Servername and the ExpireInDays variables at the start.

The script will query AD for the MaxPasswordAge value, and add that to a users last password set date, giving the expiry date.

If the date is less than your ExpireInDays variable an email will be sent.

You can configure the subject and the body of the message, and of course the send from address.

This is very useful when run as a scheduled task as it will reduce the number of support calls you might get due to expired passwords.

In the body of the message you can state how many days a user has until their password expires, and also give instructions on how to reset their password, or who they should talk to if they cannot do it.

http://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27


the script from the link above, you need to change only a few parts to suit your needs like days (instead of 21 change to 20), email adresss ect...

     #################################################################################################################
# 
# Version 1.1 May 2014
# Robert Pearman (WSSMB MVP)
# TitleRequired.com
# Script to Automated Email Reminders when Users Passwords due to Expire.
#
# Requires: Windows PowerShell Module for Active Directory
#
# For assistance and ideas, visit the TechNet Gallery Q&A Page.    http://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27/view/Discussions#content
#
  ##################################################################################################################
# Please Configure the following variables....
$smtpServer="mail.server.com"
$expireindays = 21
$from = "Company Administrator <support@mycompany.com>"
$logging = "Enabled" # Set to Disabled to Disable Logging
$logFile = "<log file path>" # ie. c:\mylog.csv
$testing = "Enabled" # Set to Disabled to Email Users
$testRecipient = "testuser@company.com"
$date = Get-Date -format ddMMyyyy
#
 ###################################################################################################################

# Check Logging Settings
if (($logging) -eq "Enabled")
{
   # Test Log File Path
   $logfilePath = (Test-Path $logFile)
   if (($logFilePath) -ne "True")
   {
       # Create CSV File and Headers
       New-Item $logfile -ItemType File
       Add-Content $logfile "Date,Name,EmailAddress,DaystoExpire,ExpiresOn"
   }
} # End Logging Check

# Get Users From AD who are Enabled, Passwords Expire and are Not Currently Expired
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties Name, PasswordNeverExpires, 
PasswordExpired,    PasswordLastSet, EmailAddress |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

# Process Each User for Password Expiry
foreach ($user in $users)
{
   $Name = (Get-ADUser $user | foreach { $_.Name})
   $emailaddress = $user.emailaddress
   $passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet })
   $PasswordPol = (Get-AduserResultantPasswordPolicy $user)
   # Check for Fine Grained Password
   if (($PasswordPol) -ne $null)
   {
       $maxPasswordAge = ($PasswordPol).MaxPasswordAge
   }

   $expireson = $passwordsetdate + $maxPasswordAge
   $today = (get-date)
   $daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days

   # Set Greeting based on Number of Days to Expiry.

   # Check Number of Days to Expiry
   $messageDays = $daystoexpire

   if (($messageDays) -ge "1")
   {
       $messageDays = "in " + "$daystoexpire" + " days."
   }
   else
   {
       $messageDays = "today."
   }

   # Email Subject Set Here
   $subject="Your password will expire $messageDays"

   # Email Body Set Here, Note You can use HTML, including Images.
   $body ="
   Dear $name,
   <p> Your Password will expire $messageDays.<br>
   To change your password on a PC press CTRL ALT Delete and chose Change Password <br>
   <p>Thanks, <br> 
   </P>"


   # If Testing Is Enabled - Email Administrator
   if (($testing) -eq "Enabled")
   {
       $emailaddress = $testRecipient
   } # End Testing

   # If a user has no email address listed
   if (($emailaddress) -eq $null)
   {
       $emailaddress = $testRecipient    
   }# End No Valid Email

   # Send Email Message
   if (($daystoexpire -ge "0") -and ($daystoexpire -lt $expireindays))
   {
       # If Logging is Enabled Log Details
       if (($logging) -eq "Enabled")
       {
           Add-Content $logfile "$date,$Name,$emailaddress,$daystoExpire,$expireson" 
       }
       # Send Email Message
       Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High  

   } # End Send Message

  } # End User Processing



  # End