Windows by default has a mechanism to notify a user when the password is going to expire. By default Windows will start notifying the user 14 days before the password really expires and must be changed. The default value is affective when no other value has been configured in some GPO in AD. If you want to configure a value in a GPO, you can do so using the GPO setting as shown in the picture below. Or go to this link. The GPO that can be used is any GPO (it does not need to be the Default Domain GPO or the Default Domain Controllers GPO) targeted at a set of AD clients that should honor that specific setting. In other words, you could have a GPO targeting client computers in EMEA to notify users that logon to those computers 10 days before their password expires and another GPO targeting client computers in APAC to notify users that logon to those computers 20 days before their password expires.

So when the user logs on to the client computer the following notification is shown like in the picture below.

However, this setting only applies to interactive logons or TS logons at AD clients (workstations, servers, DCs). It does not apply to other type of logons. In addition, OWA may notify you when using it that your password will expire. However, there exist tons of other reasons and scenarios for which it is interesting to notify a user the password is going to expire. One of the scenarios is a consultant working for a client. The consultant uses his own computer that is not a member of the AD of the client. The consultant however does have a user account in the AD of the client (which is also mailbox-enabled) and from time to time the password must be changed according to the password policy. So, how are you going to notify that user to change its password without the password suddenly expiring? One way is to use a mechanism that e-mails the user with instructions. However that mechanism does not exist by default in AD. You either need to buy something or create something yourself. Another way is to use the tool/script that I provide in this post as an attachment.

The tool 'ADPwdExpNotify.exe' uses an INI file 'ADPwdExpNotify.ini' that needs to be configured prior to the usage of the tool in your environment. Environment specific information must be provided like AD domain name, FQDN DC, FQDN mail server, etc. In addition you can configure the script to log actions to a log file and create a CSV for the accounts for which a notification is generated. An interesting feature is that it is possible to configure the tool to either run in TEST mode or PROD mode. In TEST mode, 1 recipient will receive all notifications by e-mail for all users for which the script determined a notification must be generated. In PROD mode, EACH recipient will receive a notification by e-mail. This way you can test the tool for an amount of time you feel that is required to test the tool. After that you just change the MODE from TEST to PROD in the INI file and the users will start to get their notifications by e-mail if their password is about the expire (taking the notification period into account that has been configured in the INI file).

You need to have an account in AD that is mailbox-enabled to that it is accepted as a sender. My suggestion would be to execute the tool using a scheduled task. For the credentials you can use a normal user account without ANY special permissions. However, if something goes wrong an event is written to the System Event Log and for that the account must have permissions to write to the System Event Log. If you use some monitoring tool you could monitor for these events to see if the tool is working as it should.

Below you see the output to a log file and to the screen when logging has been enabled in the INI file

Below you see the creation of a CSV file when it has been enabled in the INI file


Below you see an example of the e-mail notification a user will get. It can then use CTRL+ALT+DEL to change the password in the AD domain or leverage the password change screen in OWA. The INI file contains examples links for the OWA Password Change URL in E2K3 and E2K7.