{"id":6623,"date":"2012-12-18T08:00:00","date_gmt":"2012-12-18T06:00:00","guid":{"rendered":"http:\/\/nolabnoparty.com\/?p=6623"},"modified":"2014-09-19T09:34:06","modified_gmt":"2014-09-19T07:34:06","slug":"password-expiry-notification-at-logon-in-windows-7","status":"publish","type":"post","link":"https:\/\/nolabnoparty.com\/en\/password-expiry-notification-at-logon-in-windows-7\/","title":{"rendered":"Password expiry notification at logon in Windows 7"},"content":{"rendered":"<p><img decoding=\"async\" style=\"margin: 10px auto 5px; padding-left: 0px; padding-right: 0px; display: block; float: none; padding-top: 0px; border-width: 0px;\" title=\"notifypsw01\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw01.jpg\" alt=\"notifypsw01\" width=\"602\" height=\"202\" border=\"0\" \/><\/p>\n<p>In Windows 7 the<strong> password expiry notification<\/strong>\u00a0is shown just for few seconds in the bottom right of the screen, five days in advance by default.<\/p>\n<p>Unfortunately the <strong>notification message is not so visible<\/strong> and often it is hard to be noted. The consequence is the password expiration making the network services\u00a0inaccessible to the user.<\/p>\n<p><!--more--><\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw02\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw02.jpg\" alt=\"notifypsw02\" width=\"536\" height=\"127\" border=\"0\" \/><\/p>\n<p>To solve this situation and having a more clear notification, a\u00a0<strong>popup during login and sending an email<\/strong> to the user mailbox could help.<\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"color: #666666;\">Display a popup at logon<\/span><\/h2>\n<p>Showing a <strong>popup during login<\/strong> could be a first solution. This target can be achieved using a\u00a0<strong>script .vbs launched with GPO<\/strong>.<\/p>\n<p>In the script here below, the\u00a0<strong><span style=\"color: #0000a0;\">warningDays<\/span><\/strong>\u00a0<strong>variable<\/strong> specifies how many days notification popup is shown before the password get expired.<\/p>\n<pre class=\"lang:default decode:true brush: vb; gutter: true\">'========================================\r\n' First, get the domain policy.\r\n'========================================\r\nDim oDomain\r\nDim oUser\r\nDim maxPwdAge\r\nDim numDays\r\nDim warningDays\r\nwarningDays = 14\r\nSet LoginInfo = CreateObject(\"ADSystemInfo\") \r\nSet objUser = GetObject(\"LDAP:\/\/\" &amp; LoginInfo.UserName &amp; \"\") \r\n\r\nstrDomainDN = UCase(LoginInfo.DomainDNSName) \r\nstrUserDN = LoginInfo.UserName\r\n\r\nSet oDomain = GetObject(\"LDAP:\/\/\" &amp; strDomainDN)\r\nSet maxPwdAge = oDomain.Get(\"maxPwdAge\")\r\n\r\n'========================================\r\n' Calculate the number of days that are\r\n' held in this value.\r\n'========================================\r\nnumDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _\r\nmaxPwdAge.LowPart) \/ CCur(-864000000000)\r\n'WScript.Echo \"Maximum Password Age: \" &amp; numDays\r\n\r\n'========================================\r\n' Determine the last time that the user\r\n' changed his or her password.\r\n'========================================\r\nSet oUser = GetObject(\"LDAP:\/\/\" &amp; strUserDN)\r\n\r\n'========================================\r\n' Add the number of days to the last time\r\n' the password was set.\r\n'========================================\r\nwhenPasswordExpires = DateAdd(\"d\", numDays, oUser.PasswordLastChanged)\r\nfromDate = Date\r\ndaysLeft = DateDiff(\"d\",fromDate,whenPasswordExpires)\r\n\r\n'WScript.Echo \"Password Last Changed: \" &amp; oUser.PasswordLastChanged\r\nif (daysLeft &lt; warningDays) and (daysLeft &gt; -1) then\r\nMsgbox \"La password scade tra \" &amp; daysLeft &amp; \" giorni\" &amp; \" il \" &amp; _\r\n  whenPasswordExpires &amp;chr(13) &amp; chr(13) &amp; \"Premi CTRL + ALT + CANC \" &amp;_\r\n    \"e seleziona l'opzione 'Cambia password'.\", 0, \"AVVISO SCADENZA PASSWORD\"\r\nEnd if\r\n\r\n'========================================\r\n' Clean up.\r\n'========================================\r\nSet oUser = Nothing\r\nSet maxPwdAge = Nothing\r\nSet oDomain = Nothing<\/pre>\n<p>To execute the <strong>script during login<\/strong>, create a new GPO with the tool\u00a0<strong>Group Policy Management<\/strong>. Right click <strong>Group Policy Objects<\/strong> item and select<strong> New<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw03\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw03.jpg\" alt=\"notifypsw03\" width=\"600\" height=\"365\" border=\"0\" \/><\/p>\n<p>Type a <strong>Name<\/strong> for the new GPO then click\u00a0<strong>OK<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw04\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw04.jpg\" alt=\"notifypsw04\" width=\"390\" height=\"173\" border=\"0\" \/><\/p>\n<p>Edit the GPO and select <strong>User Configuration &gt; Policies &gt; Windows Settings &gt; Scripts (Logon\/Logoff)<\/strong>\u00a0option and right click <strong>Logon &gt; Properties<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw05\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw05.jpg\" alt=\"notifypsw05\" width=\"600\" height=\"374\" border=\"0\" \/><\/p>\n<p>In the <strong>Scripts\u00a0<\/strong>section, click\u00a0<strong>Add<\/strong>\u00a0and specify the <strong>.vbs file<\/strong>\u00a0to be used through the\u00a0<strong>Browse<\/strong>\u00a0button.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw06\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw06.jpg\" alt=\"notifypsw06\" width=\"498\" height=\"458\" border=\"0\" \/><\/p>\n<p>Select the script then click\u00a0<strong>Open<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw07\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw07.jpg\" alt=\"notifypsw07\" width=\"600\" height=\"417\" border=\"0\" \/><\/p>\n<p>Once the script<strong> .vbs<\/strong> has been set, click\u00a0<strong>OK<\/strong>\u00a0to save the configuration.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw08\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw08.jpg\" alt=\"notifypsw08\" width=\"404\" height=\"448\" border=\"0\" \/><\/p>\n<p><strong>Link the new GPO<\/strong>\u00a0to the correct OU.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw09\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw09.jpg\" alt=\"notifypsw09\" width=\"390\" height=\"306\" border=\"0\" \/><\/p>\n<p>When the user <strong>login into the system<\/strong>, the script displays the <strong>popup notification<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw10\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw10.jpg\" alt=\"notifypsw10\" width=\"371\" height=\"152\" border=\"0\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"color: #666666;\">Sending a notification email<\/span><\/h2>\n<p>To make the password notification as clear as possible, in addition to the popup during the login, we could <strong>send also an email<\/strong> to the user mailbox.<\/p>\n<p>The email is sent using a\u00a0<strong>PowerShell script<\/strong>\u00a0launched at logon. The script in the example has been taken from the\u00a0<a href=\"http:\/\/www.rlmueller.net\/PasswordExpires.htm\" target=\"_blank\" rel=\"noopener\">www.rlmueller.net<\/a>\u00a0website and customized to match the network environment.<\/p>\n<pre class=\"lang:default decode:true brush: vb; gutter: true \">Trap {\"Error: $_\"; Break;}\r\n\r\n# Specify number of days. Any users whose passwords expire within\r\n# this many days after today will be processed.\r\n$intDays = 14\r\n\r\n# Email settings.\r\n$Script:From = \"myemailaddress@mydomain.com\"\r\n$Script:Subject = \"Password Expiration Notice\"\r\n$Server = \"smtp.mydomain.com\"\r\n$Port = 25\r\n$Client = New-Object System.Net.Mail.SmtpClient $Server, $Port\r\n# You may need to provide credentials.\r\n$Client.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials\r\n\r\nFunction SendEmail($To, $Body)\r\n{\r\n    $Message = New-Object System.Net.Mail.MailMessage `\r\n        $Script:From, $To, $Script:Subject, $Body\r\n    $Client.Send($Message)\r\n}\r\n\r\n# Retrieve Domain maximum password age policy, in days.\r\n$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()\r\n$Domain = [ADSI]\"LDAP:\/\/$D\"\r\n$MPA = $Domain.maxPwdAge.Value\r\n# Convert to Int64 ticks (100-nanosecond intervals).\r\n$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)\r\n# Convert to days.\r\n$MaxPwdAge = -$lngMaxPwdAge\/(600000000 * 1440)\r\n\r\n# Determine the password last changed date such that the password\r\n# would just now be expired. We will not process any users whose\r\n# password has already expired.\r\n$Now = Get-Date\r\n$Date1 = $Now.AddDays(-$MaxPwdAge)\r\n\r\n# Determine the password last changed date such the password\r\n# will expire $intDays in the future.\r\n$Date2 = $Now.AddDays($intDays - $MaxPwdAge)\r\n\r\n# Convert from PowerShell ticks to Active Directory ticks.\r\n$64Bit1 = $Date1.Ticks - 504911232000000000\r\n$64Bit2 = $Date2.Ticks - 504911232000000000\r\n\r\n$Searcher = New-Object System.DirectoryServices.DirectorySearcher\r\n$Searcher.PageSize = 200\r\n$Searcher.SearchScope = \"subtree\"\r\n\r\n# Filter on user objects where the password expires between the\r\n# dates specified, the account is not disabled, password never\r\n# expires is not set, password not required is not set.\r\n# and password cannot change is not set.\r\n$Searcher.Filter = \"(&amp;(objectCategory=person)(objectClass=user)\" `\r\n    + \"(pwdLastSet&gt;=\" + $($64Bit1) + \")\" `\r\n    + \"(pwdLastSet&lt;=\" + $($64Bit2) + \")\" `\r\n    + \"(!userAccountControl:1.2.840.113556.1.4.803:=2)\" `\r\n    + \"(!userAccountControl:1.2.840.113556.1.4.803:=65536)\" `\r\n    + \"(!userAccountControl:1.2.840.113556.1.4.803:=32)\" `\r\n    + \"(!userAccountControl:1.2.840.113556.1.4.803:=48))\"\r\n\r\n$Searcher.PropertiesToLoad.Add(\"sAMAccountName\") &gt; $Null\r\n$Searcher.PropertiesToLoad.Add(\"pwdLastSet\") &gt; $Null\r\n$Searcher.PropertiesToLoad.Add(\"mail\") &gt; $Null\r\n$Searcher.PropertiesToLoad.Add(\"proxyAddresses\") &gt; $Null\r\n$Searcher.SearchRoot = \"LDAP:\/\/\" + $Domain.distinguishedName\r\n\r\n$Results = $Searcher.FindAll()\r\nForEach ($Result In $Results)\r\n{\r\n    $Name = $Result.Properties.Item(\"sAMAccountName\")\r\n    $PLS = $Result.Properties.Item(\"pwdLastSet\")\r\n    $Mail = $Result.Properties.Item(\"mail\")\r\n    $Addresses = $Result.Properties.Item(\"proxyAddresses\")\r\n    If ($PLS.Count -eq 0)\r\n    {\r\n        $Date = [DateTime]0\r\n    }\r\n    Else\r\n    {\r\n        # Interpret 64-bit integer as a date.\r\n        $Date = [DateTime]$PLS.Item(0)\r\n    }\r\n    # Convert from .NET ticks to Active Directory Integer8 ticks.\r\n    # Also, convert from UTC to local time.\r\n    $PwdLastSet = $Date.AddYears(1600).ToLocalTime()\r\n    # Determine when password expires.\r\n    $PwdExpires = $PwdLastSet.AddDays($MaxPwdAge)\r\n\r\n    # Determine email address.\r\n    If (\"$Mail\" -eq \"\")\r\n    {\r\n        ForEach ($Address In $Addresses)\r\n        {\r\n            $Prefix = $Address.SubString(0, 5)\r\n            If (($Prefix -ceq \"SMTP:\") -or ($Prefix -ceq \"X400:\"))\r\n            {\r\n                $Mail = $Address.SubString(5)\r\n                Break\r\n            }\r\n        }\r\n    }\r\n    If (\"$Mail\" -ne \"\")\r\n    {\r\n        $Notice = \"Password for user $Name must be changed by $PwdExpires\"\r\n        SendEmail $Mail $Notice\r\n        \"Email sent to $Name ($Mail), password expires $PwdExpires\"\r\n    }\r\n    Else\r\n    {\r\n        \"$Name has no email, but password expires $PwdExpires\"\r\n        \"DN: $DN\"\r\n    }\r\n}<\/pre>\n<p>The script is added to the\u00a0previously\u00a0created GPO by editing\u00a0\u00a0the option\u00a0<strong>User Configuration &gt; Policies &gt; Windows Settings &gt; Scripts (Logon\/Logoff)<\/strong>. Right click <strong>Logon &gt; Properties<\/strong>.<\/p>\n<p>Select\u00a0<strong>PowerShell Scripts<\/strong>\u00a0pane and click\u00a0<strong>Add<\/strong>. Click the <strong>Browse<\/strong>\u00a0button and select this time the\u00a0<strong>script .ps1<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw11\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw11.jpg\" alt=\"notifypsw11\" width=\"484\" height=\"448\" border=\"0\" \/><\/p>\n<p>Select the script <strong>.ps1<\/strong>\u00a0then click\u00a0<strong>Open<\/strong>.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; float: none; padding-top: 0px; border-width: 0px;\" title=\"notifypsw12\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw12.jpg\" alt=\"notifypsw12\" width=\"600\" height=\"416\" border=\"0\" \/><\/p>\n<p>If you are going to use both solutions, you can set an execution scripts order\u00a0setting the option \u201c<strong>For this GPO, run scripts in the following order<\/strong>\u201d. Click\u00a0<strong>OK<\/strong>\u00a0to save the configuration.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw13\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw13.jpg\" alt=\"notifypsw13\" width=\"404\" height=\"448\" border=\"0\" \/><\/p>\n<p>At logon,\u00a0<strong>in addition to the popup<\/strong>\u00a0the user will receive also a <strong>notification email\u00a0<\/strong>in his\/her mailbox.<\/p>\n<p><img decoding=\"async\" style=\"padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-top: 0px; border-width: 0px;\" title=\"notifypsw14\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2012\/12\/notifypsw14.jpg\" alt=\"notifypsw14\" width=\"600\" height=\"209\" border=\"0\" \/><\/p>\n<p>Notify the password expiration with a popup, with an email or with both solutions depends on <strong>corporate policies and needs<\/strong>. You could set the system to show initially only the popup then the email.<\/p>\n<p>&nbsp;<\/p>\n<h4>Update\u00a025\/08\/2014<\/h4>\n<p>To execute\u00a0the script powershell avoiding the problem of emails generated for each user that logs on the system, run the script on daily basis using the\u00a0<strong>Windows\u00a0Task Scheduler<\/strong>\u00a0removing\u00a0the\u00a0script from the GPO.<\/p>\n<p>Create a new task\u00a0in the\u00a0Task Scheduler and set parameters as follow:<\/p>\n<ul>\n<li>Action: Start a program<\/li>\n<li>Program\/Script: powershell.exe<\/li>\n<li>Add arguments (optional): -f \u201cC:\\Scripts\\psw_warning_email.ps1?<\/li>\n<\/ul>\n<p>Configure the execution with the following options:<\/p>\n<ul>\n<li>Use the following user account:\u00a0<em>a Domain Admin account<\/em><\/li>\n<li>Run whether user is logged on or not<\/li>\n<li>Run with highest privileges<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/images\/firma.jpg\" alt=\"\" title=\"\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Windows 7 the password expiry notification\u00a0is shown just for few seconds in the bottom right of the screen, five days in advance by default. Unfortunately the notification message is not so visible and often it is hard to be noted. The consequence is the password expiration making the network services\u00a0inaccessible to the user.<\/p>\n","protected":false},"author":3,"featured_media":5577,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"linkedin_93tdZWzMZc_93tdZWzMZc":"","facebook_2879994398731222_17841400390232720":"","twitter_113568041_113568041":"","mastodon_115463926174894442_115463926174894442":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[913,1065],"tags":[663,605,607,602],"class_list":["post-6623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory-en","category-microsoft-en","tag-expiry","tag-gpo-en","tag-notification-en","tag-password-en","has_thumb"],"_links":{"self":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/6623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/comments?post=6623"}],"version-history":[{"count":0,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/6623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media\/5577"}],"wp:attachment":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media?parent=6623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/categories?post=6623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/tags?post=6623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}