We're running a similar product and are looking at what options are available to us. An email script is good, but hypothetically, a user could come back from vacation or from maternity leave, not check their email and still get the pop up box to change their password when they come back.
In our testing we found that you set the password to never expire, but actually expire the account, they will get a prompt that their account has expired when they try to log in, but need to contact their SA for assistance, or something to that effect. At that point, there is an escape sequence that the user can do to get to the password management system, answer some challenge questions, and then change their password. This will also unexpire their account. Or they would contact our help desk for instructions. We're still using a script to email notifications to the user, but actually using the same script to expire the account instead of the native GINA. I know it sounds like a hassle, and probably a whole bunch of calls to the help desk, but that appears to be the only way we can get them to use a single point for their password management. If anyone can think of a better way to do this, definitely let me know. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 22, 2005 10:11 AM To: [email protected] Subject: RE: [ActiveDir] Password Expiration Prompt I've used this in that situation. You can change it from the three days on there to whatever you like and since it uses subtree search, you can use either a specific OU or the entire domain directory if you want. It is per domain. The script will email a notification with a link to the web page vs. doing a popup (so email is important right?) You would also have to turn off the notification in the domain to prevent the confusion. I use this script for users in a different forest than the one their workstation is in. http://www.houseofqueues.com/CodeSamples/PassCheck.txt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 9:30 AM To: [email protected] Subject: [ActiveDir] Password Expiration Prompt In our environment we use a product called Passport to synchronize password changes across multiple accounts. Our users are aware of this product and the procedures required for making a password change, however, the Default Domain GPO specifies that the user will be notified to change their password 5 days before expiration. When a user logs in and sees this message they become confused and frustrated because they think this change will apply to all accounts and passwords, which it does not. Is there a script or setting I can change that will notify the user it is time for a password change and take them directly to the Passport website to change their password? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
