Enforcing a policy for regular password changes is no longer recommended, as it can result in more helpdesk requests due to expired passwords, especially for VPN users, and may actually undermine security. However, timely notifications can help mitigate issues when password changes are necessary. Learn how to notify users with Group Policy or a PowerShell script.
Microsoft has removed the policy for regular password changes from the Windows security baseline. However, changing passwords if they may have been compromised is strongly advised.
Notifying VPN users
Regardless of the reason for a required password change, it's beneficial for users to receive advance notification. This is especially important for users working remotely or from home who connect via VPN.
When a password has expired, problems can occur during login with cached credentials, especially if the VPN software doesn't permit changing the AD password. Ideally, users should be able to reset their passwords through a self-service portal.
Without such a solution, you can notify users through a Group Policy. Alternatively, a PowerShell script can email users about their password expiration.
Reminding users with Group Policy
Group Policy offers the following settings to notify users of an upcoming password change:
- Interactive logon: Prompt user to change password before expiration
It can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
You can set a notification period from 1 to 999 days, during which users will receive a message about their expiring password. This will appear as a toast notification only after users log in.
However, users who have not connected to the Active Directory (AD) for some time might miss this hint.
Sending email notifications with PowerShell
You can use the PowerShell script below to identify users whose passwords are set to expire within a specified timeframe and notify them via email. This method enables users to connect to the domain and change their passwords before they expire.
Get-ADUser filters out accounts that don't require a password or have passwords that never expire. The script then reads the msDS-UserPasswordExpiryTimeComputed attribute.
The value represents the password expiration date as the number of 100-nanosecond intervals since January 1, 1601. To determine the notification date, convert this value into a date object and subtract the desired number of days.
# Notify x days before expiration date
$DaysBefore = 3
Get-ADUser -Filter 'PasswordNeverExpires -eq $false -and PasswordNotRequired -eq $false' `
-Properties msDS-UserPasswordExpiryTimeComputed, Mail, PasswordLastSet |
Where-Object {
$_."msDS-UserPasswordExpiryTimeComputed" -ne $null -and
(([datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")).Date -eq (Get-Date).addDays($DaysBefore).Date)
} | foreach{
Send-MailMessage -to $_.mail -from "Admin <admin@contoso.de>" -Subject "Your password is expiring" `
-body "Your password will expire in $DaysBefore days. Please change your password as soon as possible!" -SmtpServer smtp.contoso.com
}
The script then emails each account with a password expiring within the specified period.
If using the regular company mail server is not an option, you can use the free SMTP server E-MailRelay.
E-MailRelay can be configured to send messages without authentication. If authentication is needed, credentials can be stored in a file or a secure vault.
To run the script automatically once a day, set it up as a scheduled task.
Summary
While regular password changes are no longer recommended, notifying users in advance of necessary password expirations can help reduce helpdesk requests.
Group Policy offers an easy solution, allowing administrators to specify the number of days before expiration when a warning message is shown to logged-in users.
However, a PowerShell script offers greater flexibility, sending email notifications to users even if their computers are not connected to a domain controller.