Password expiry notification

ADMan can notify users via email when their password is about to expire in AD. The notification threshold and interval are configurable, along with the templated message to be sent.

Actions

For all users, whose password is not marked as “never expires” (in userAccountControl), and whose password has ever been set, ADMan will send an email when their password is about to expire in a given number of days.

Note

This requires the user’s mail attribute to be set.

Configuration

The following configuration options (keys) exist under password_expiry_notification:

Config Key

Type

Default

Description

days

int or list<int>

(required)

A list of the number of days before a user’s password expires that they should be notified

template_file

path

(required)

Path to template message to send via email

The template file uses Python template strings to provide expansion of the following variables:

Variable

Description

${cn}

User common name (e.g., jsmith)

${upn}

User Principal Name (e.g., jsmith@example.com)

${expire_days}

The number of days before the user’s password expires (with the word “days”)

${expire_time}

The date/time when the user’s password will expire

Example configuration

password_expiry_notification:
  # Users should be notified each time their password expires
  # in this many days
  days: [7, 3, 2, 1, 0]


  # The template to use for sending mail
  template_file: example_pwnotify.tmpl

Example template

Hi ${cn},

Your Active Directory password for ${upn} will expire in ${expire_days}
at ${expire_time}.

Please change your password before this time:
- Windows: Ctrl+Alt+Delete, "Change a Password"
- Linux: "kpasswd"
- Browser: https://passwd.ad-test.vx

Thank you,
Sysadmin

Commands

Relevant CLI commands: