Habitat Windows Domain Password Expiration Manager

Detailed descriptions and imagery explaining each tool available inside Habitat. Feel free to post feature requests under each tools forum post if you would like to see something added or changed in the tools.
User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Habitat Windows Domain Password Expiration Manager

Post by Cubert »

Manage Windows Domain Passwords That Are Expiring


WindowsDomainPasswordExpiredClientConsole.PNG
WindowsDomainPasswordExpiredClientConsole.PNG (68.96 KiB) Viewed 15871 times

This tool is used to monitor the password expiration dates for Windows Active Directory users that meet the requirements. The tool will send out a email (X) days before the users password expires with a email that you can design in the plugin. The email is HTML based so can contain links to images and to things like the Web Remote Desktop- Remote password tool in your domain.


This is how it works:


In the main console, select the configure button to configure your domain information. If you are not configured at all or if your LDAP information is blank, then no automated scans will be run on the client. The "Notify Users" turns on and off the emailing of users but not the monitoring scans. This means you can use the plugin just to capture the data for your review without any notifications.

Monitoring scans are scheduled twice daily on the Windows Domain Controller you select in the configuration of plugin. Emails are sent once on the day(s) before the expiration after 12 pm. For the scans to work they require Powershell version 3 or greater. Only select Windows Domain Controllers what have at least PowerShell 3 installed or scanning scripts will exit with errors of requirements for POSH3.

Once configured and the first scan has completed you should see users if your LDAP settings are accurate and the requirements are met. There's that "requirements" thing again!


Whats the requirements thing?

The scans only look for a particular group of users that meet a given set of requirements. These requirements help filter out users that would otherwise not benefit from this service.
  • Users must have a password that will actually expire! If user is set to never expire they will not show up here in list.
  • User must be able to update or change their passwords! If user is set to "Cannot change password" then they will not show up in list.
  • User is not disabled! is user is disabled then we will not show user in list
  • User must have the "Email" property set with a valid email. This is outside of the "UPN" property setting that is given when users are added to directory
If a user is in the LDAP directory provided and meets these requirements then they should be exposed in the list. Any users listed in red are expired or expiring now.

You can select a user from the main view and send a single direct email to them as a manual process that will be executed on the Domain Controller with in a few minutes.


WindowsDomainPasswordExpiredClientConfigure.PNG
WindowsDomainPasswordExpiredClientConfigure.PNG (28.56 KiB) Viewed 15871 times

To Configure:

Select from available Domain controllers in the list provided. If no agents are listed then we are not seeing any Windows Active Directory servers for that client.

How many days to notify before expired? This sets the numbers of days before the users password expires that the automated service should send the given email to user.

The LDAP directory root, this should be the container that houses the root of your users. The format is required to be LDAP compatible as seen in the image above.

The email body is where you can craft a HTML based email that will be used to let the user know the passwords about to expire. You can put in any HTML code you like and then use the email viewer to see how it will appear to the users. We have 2 master variables you can add to your email ( @MYNAME@ and @DAYSLEFT@ ). These 2 variables allow you to dynamically embed the current name of the user and their number of days left so that emails are personalized to the user receiving them.

Kaiman
Posts: 2
Joined: Tue Apr 14, 2020 4:10 pm
3

Re: Habitat Windows Domain Password Expiration Manager

Post by Kaiman »

Hi,

Any chance we could get the ability to schedule multiple emails to be sent in the future?

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Habitat Windows Domain Password Expiration Manager

Post by Cubert »

Sure, How many and how often?

Kaiman
Posts: 2
Joined: Tue Apr 14, 2020 4:10 pm
3

Re: Habitat Windows Domain Password Expiration Manager

Post by Kaiman »

The ability to do a per-day schedule kinda like how you can do with script scheduling would be great.

So, say you have it set to start emailing when less than 30 days remaining until password expiration. Then you have checkboxes for certain days of the week to email users from then on at a given time from then until their password expiration date. So once it hits the final 30, you could have it checked to email like every Tuesday and Thursday after that, for example. And then maybe have an option to disable emails X days after expiration date or just stop after the day itself.

Hopefully that all makes sense.

Thanks!

jallenEITP
Posts: 19
Joined: Mon Aug 06, 2018 7:49 pm
5

Re: Habitat Windows Domain Password Expiration Manager

Post by jallenEITP »

We have a request for a enhancement.

Right now if you set the expire notification to 5 days it will email any user that has a password set to expire at the 5 day mark or sooner but not if it is at 5 days and 3 hours and so many seconds.

Is there a way to get to it just report if it will be at any time in the 5th day from now.

User example

User X has a password set to expire on 9/29/20 at 15:45
The script runs at 13:00 so the user would report that they will expire 5 days and 4 hours and 45 minutes from now so it does not hit the 5 day requirement so it does not report.

But AD is also set to notify at 5 days for the client so at 15:45 or after the user gets a pop up before they get the email.

If the script can just look at the date and say any password to expire at any time on the 5th day from now notify the user.

ccalverley
Posts: 35
Joined: Fri Feb 22, 2019 3:22 pm
5

Re: Habitat Windows Domain Password Expiration Manager

Post by ccalverley »

When setting ldap directory will it look recursively into sub directories when looking for a user?

ccalverley
Posts: 35
Joined: Fri Feb 22, 2019 3:22 pm
5

Re: Habitat Windows Domain Password Expiration Manager

Post by ccalverley »

you could do something like
email user _____ days out
add another []
(blank if not selected)
email user _____ days out

or something along those lines.

ccalverley
Posts: 35
Joined: Fri Feb 22, 2019 3:22 pm
5

Re: Habitat Windows Domain Password Expiration Manager

Post by ccalverley »

another suggestion, is there a way to make the table labels sort by the selected one?

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Habitat Windows Domain Password Expiration Manager

Post by Cubert »

ccalverley wrote: Thu Jan 07, 2021 5:29 pm When setting ldap directory will it look recursively into sub directories when looking for a user?

Yes it should.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Habitat Windows Domain Password Expiration Manager

Post by Cubert »

ccalverley wrote: Thu Jan 07, 2021 8:28 pm you could do something like
email user _____ days out
add another []
(blank if not selected)
email user _____ days out

or something along those lines.

We are planning to add pester mode to the email abilities. Currently we send 1 email to end user the number of days set by configuration. We are looking to add a pester checkbox which will send 2 emails a day from the day of limit to expires. S you can choose to be gentle or aggressive.

Post Reply

Return to “Habitat Documentation Forum”