Habitat Windows Domain Password Expiration Manager

Support forums for the Habitat Automate plugin
Post Reply
User avatar
Posts: 1414
Joined: Tue Dec 29, 2015 7:57 pm

Habitat Windows Domain Password Expiration Manager

Post by Cubert »

Manage Windows Domain Passwords That Are Expiring

WindowsDomainPasswordExpiredClientConsole.PNG (68.96 KiB) Viewed 315 times

This tool is used to monitor the password expiration dates for Windows Active Directory users that meet the requirements. The tool will send out a email (X) days before the users password expires with a email that you can design in the plugin. The email is HTML based so can contain links to images and to things like the Web Remote Desktop- Remote password tool in your domain.

This is how it works:

In the main console, select the configure button to configure your domain information. If you are not configured at all or if your LDAP information is blank, then no automated scans will be run on the client. The "Notify Users" turns on and off the emailing of users but not the monitoring scans. This means you can use the plugin just to capture the data for your review without any notifications.

Monitoring scans are scheduled twice daily on the Windows Domain Controller you select in the configuration of plugin. Emails are sent once on the day(s) before the expiration after 12 pm. For the scans to work they require Powershell version 3 or greater. Only select Windows Domain Controllers what have at least PowerShell 3 installed or scanning scripts will exit with errors of requirements for POSH3.

Once configured and the first scan has completed you should see users if your LDAP settings are accurate and the requirements are met. There's that "requirements" thing again!

Whats the requirements thing?

The scans only look for a particular group of users that meet a given set of requirements. These requirements help filter out users that would otherwise not benefit from this service.
  • Users must have a password that will actually expire! If user is set to never expire they will not show up here in list.
  • User must be able to update or change their passwords! If user is set to "Cannot change password" then they will not show up in list.
  • User is not disabled! is user is disabled then we will not show user in list
  • User must have the "Email" property set with a valid email. This is outside of the "UPN" property setting that is given when users are added to directory
If a user is in the LDAP directory provided and meets these requirements then they should be exposed in the list. Any users listed in red are expired or expiring now.

You can select a user from the main view and send a single direct email to them as a manual process that will be executed on the Domain Controller with in a few minutes.

WindowsDomainPasswordExpiredClientConfigure.PNG (28.56 KiB) Viewed 315 times

To Configure:

Select from available Domain controllers in the list provided. If no agents are listed then we are not seeing any Windows Active Directory servers for that client.

How many days to notify before expired? This sets the numbers of days before the users password expires that the automated service should send the given email to user.

The LDAP directory root, this should be the container that houses the root of your users. The format is required to be LDAP compatible as seen in the image above.

The email body is where you can craft a HTML based email that will be used to let the user know the passwords about to expire. You can put in any HTML code you like and then use the email viewer to see how it will appear to the users. We have 2 master variables you can add to your email ( @MYNAME@ and @DAYSLEFT@ ). These 2 variables allow you to dynamically embed the current name of the user and their number of days left so that emails are personalized to the user receiving them.

Post Reply