Password expiry notification
ADMan can notify users via email when their password is about to expire in AD. The notification threshold and interval are configurable, along with the templated message to be sent.
Actions
For all users, whose password is not marked as “never expires”
(in userAccountControl
), and whose password has ever been set, ADMan will
send an email when their password is about to expire in a given number of days.
Note
This requires the user’s mail
attribute to be set.
Configuration
The following configuration options (keys) exist under password_expiry_notification
:
Config Key |
Type |
Default |
Description |
---|---|---|---|
|
int or list<int> |
(required) |
A list of the number of days before a user’s password expires that they should be notified |
|
(required) |
Path to template message to send via email |
The template file uses Python template strings to provide expansion of the following variables:
Variable |
Description |
---|---|
|
User common name (e.g., |
|
User Principal Name (e.g., |
|
The number of days before the user’s password expires (with the word “days”) |
|
The date/time when the user’s password will expire |
Example configuration
password_expiry_notification:
# Users should be notified each time their password expires
# in this many days
days: [7, 3, 2, 1, 0]
# The template to use for sending mail
template_file: example_pwnotify.tmpl
Example template
Hi ${cn},
Your Active Directory password for ${upn} will expire in ${expire_days}
at ${expire_time}.
Please change your password before this time:
- Windows: Ctrl+Alt+Delete, "Change a Password"
- Linux: "kpasswd"
- Browser: https://passwd.ad-test.vx
Thank you,
Sysadmin
Commands
Relevant CLI commands: