I used to be a technician and worked in Help desk. I have good memories of those days. But some are not so good. Usually what drove us (technicians) to insanity were calls related to password expiration and password lockout.
When a user calls in, explains he has a problem with a password you are there to help. You check if account is locked, if account has expired or if the user is typing the correct password. Right.
You help your users by explaining how to troubleshoot account related problems and when you think you did something great, that you helped user learn something, they call again after 30 days with the same problem.
IT support receives numerous calls about password & account lockout problems every month. Usually from the same people. When IT technicians ask users why they keep having the same problem, they usually receive the same answer. It’s not my fault. Computer did it.
If we don’t count in Issues with Domain Account lockout, problem related to password expiry can be solved easily.
All you need is an automated solution that will send email and remind users to change the password before it expires. You have to show them how many days are remaining and offer them a solution to make it easier. (I know, it can’t get easier than it is, but still). So, solution is to send email expiry notification to the users, trust me, it’s amazing when it works.
How to set up email expiry notification for free and easily
There are many ways, you can create a powershell script which would send expiry notification. But this is not that easy. What you can do, is to install one of the great programs that are awesome at what they do. You will relive burden of Helpdesk team, improve user satisfaction and improve security. Oh, and you can set up email expiry notification for free.
Manageengine ADSelfService Plus
Manageegine ADSelfService Plus is primarily a web based self service password management system. Users, once enrolled can unlock their account, change their password or change their personal details in AD. One of the features of ADSelfService plus is also Expiry notification. AD Self Service is plus has several commercial plans you can choose from, but they also offer a free version which has no limitation on password expiry notification functionality.
ADSelfserivce Plus has great email expiry features, but one that stands from the pack is that you can define multiple OU’s and create a separate email expiry policy for each.
Where this is especially useful is with Companies who are present in multiple countries. You can create one notification in one language and you can setup second notification for users in another country with different language.
To setup email content you can use AD fields like username, name, surname, days… to automatically add personal touch to email. When user will receive email, it will go something like this:
“Hi, John, do you know you have only 3 days remaining before your password expires?
You can format text via html, meaning that you can add nice colors, set text in bold or Italic or add links to the content.
You can then add a link to your intranet how to page where you explain in detail how to change a password. First time users may look at tutorial and learn, while company veterans would learn in several months.
In addition to unlimited password expiry functionally, ADSelfservice Plus Free edition has full functionally for 50 users (self service). Pretty neat. Free edition is fully supported and you will can update the program to the latest version once released.
You can find more information on ME AdselfService Plus Website.
Netwrix Password Expiration Notifier
Second tool comes from a great company called Netwrix. They have developed a simple and light utility. Netwrix Password Expiration Notifier can monitor a domain, send email expiry notifications to end users and can also send reports to administrators with a list of users and information when accounts will expire.
While utility is free it also has a commerical version. There are some limitations in free version.
- You can’t customize the notification email
- You can’t brand the notification email with your company logo
- You can’t filter by account name, Organizational Unit (OU) and groups
This tool is perfect for environments where you require a light and simple solution. You can find more information on Netwrix website.
Conclusion
I highly recommed setting up email password expiry. There are free quality solutions so you don’t have an excuse to not implment password expiry in your organization.
My experience with AD Self Service plus implementation is:
- We have received 70% less calls in the second month
- Users got used to reminders, they usually wait until 3rd or 2nd day before password expiration and then they change the password
- We only receive 10% calls related to password problems
Do you have a tool to recommend? Please let me know in the comments
Leave a Reply