The software update correcting the number of days until expiration appears to be accurate now. Thank you for that.
I'm assuming there was a one-time glitch during the update process that inadvertently emailed all users at all companies with negative expirations because of the negative numbers bug that you corrected. I assume that was just a one-time glitch, and it will use the correct numbers in the future in those emails.
Regardless, the console is nice and accurate again, so thanks for that.
However, I do have two suggestions.
1. Can you exclude any disabled users from being emailed, and either hide them from the tool or make another tab only for disabled users? I don't think there is any purpose in displaying disabled users or emailing them, as that would clutter larger lists and continue spamming folks if their retained mailboxes are being forwarded. We still have disabled users being emailed, which just spams their converted mailboxes and whoever their mail is forwarded to.
2. Can you bring back the DN search box override, so that not setting the override triggers it to scope to the domain, but filling in the search box will target only that OU and sub-OU's. That would also be helpful to scope the product in certain situations or when hiding accounts.
Much appreciated, and thanks for your work on all this.
Feature request for showing "Do not expire" users
Re: Feature request for showing "Do not expire" users
Yea, I thought that maybe making an OU selection being optional would help.
Let me work on this a bit more...
Let me work on this a bit more...
Re: Feature request for showing "Do not expire" users
Ok I made some updates to build 1.0.1.67
Adding a LDAP root to limit requested users has returned as a optional configuration, if set it will use this root instead of the default root of primary domain.
Updated email notifications to only send emails from the email users list. This means they must have a valid UPN, Email , be allowed to change password and password set to be required to expire. No Domain Admins and no Users with notification issues.
https://delivery.shopifyapps.com/-/8f1a ... 6c93c32d5d
As for disabling users, if they have no UPN, password no allowed to be changed or password never expires then thare are skipped or ignored.
Adding a LDAP root to limit requested users has returned as a optional configuration, if set it will use this root instead of the default root of primary domain.
Updated email notifications to only send emails from the email users list. This means they must have a valid UPN, Email , be allowed to change password and password set to be required to expire. No Domain Admins and no Users with notification issues.
https://delivery.shopifyapps.com/-/8f1a ... 6c93c32d5d
As for disabling users, if they have no UPN, password no allowed to be changed or password never expires then thare are skipped or ignored.
Re: Feature request for showing "Do not expire" users
Thanks for the update.
Thanks for bringing back the OU Search box to limit the scope.
On your point about disabled users. When a user is marked as disabled, it's hidden from the Habitat tabs, which is great. However, the email function doesn’t follow suit, and it will spam all disabled users and resource accounts disabled in the system. That’s an issue when most firms convert mailboxes to shared mailboxes or set up forwarding, as it then affects other users and those shared mailboxes.
Setting all disabled users to “User can’t change password” is a temporary fix to stop the flooding, but most firms keep old users as disabled, which can result in hundreds of accounts with that option set. This then turns the “Possible User Issues” tab into a useless tab of all disabled users, and I really happen to like that tab for finding incorrectly set accounts that wouldn’t be possible with this workaround.
The second solution for separating disabled users is breaking out the OU structure into a separate tree and excluding that tree by using the OU search box. That’s probably the better option at first glance, so we can still use the “Possible user issues” tab, but it causes a significant problem with O365 AD Sync and moving around AD structure, affecting policies, targeting, and security measures. Also, unless the O365 AD sync is reconfigured and retargeted to that second tree, all those mailboxes would auto-purge, and affect other organizational requirements. So, going down this road would be a bit of work per customer and not ideal either.
If there is a way to exclude disabled users from the email function, just as it is hidden from the lists in each tab, that would be fantastic to avoid these other issues.
Much appreciated.
Thanks for your time.
Thanks for bringing back the OU Search box to limit the scope.
On your point about disabled users. When a user is marked as disabled, it's hidden from the Habitat tabs, which is great. However, the email function doesn’t follow suit, and it will spam all disabled users and resource accounts disabled in the system. That’s an issue when most firms convert mailboxes to shared mailboxes or set up forwarding, as it then affects other users and those shared mailboxes.
Setting all disabled users to “User can’t change password” is a temporary fix to stop the flooding, but most firms keep old users as disabled, which can result in hundreds of accounts with that option set. This then turns the “Possible User Issues” tab into a useless tab of all disabled users, and I really happen to like that tab for finding incorrectly set accounts that wouldn’t be possible with this workaround.
The second solution for separating disabled users is breaking out the OU structure into a separate tree and excluding that tree by using the OU search box. That’s probably the better option at first glance, so we can still use the “Possible user issues” tab, but it causes a significant problem with O365 AD Sync and moving around AD structure, affecting policies, targeting, and security measures. Also, unless the O365 AD sync is reconfigured and retargeted to that second tree, all those mailboxes would auto-purge, and affect other organizational requirements. So, going down this road would be a bit of work per customer and not ideal either.
If there is a way to exclude disabled users from the email function, just as it is hidden from the lists in each tab, that would be fantastic to avoid these other issues.
Much appreciated.
Thanks for your time.
Re: Feature request for showing "Do not expire" users
OK I have a fix in place for this which will be released in next build.
In the mean time the fix can be manually added to resolve your issue now.
Find the Automate Script (Habitat AD Password Expired Notifier) and edit line #35
In the SQL query section of script add the following to the end of SQL Query (AND userAccountControl & 2 = 0)
The entire SQL QUERY should look like
This will exclude disabled accounts.
In the mean time the fix can be manually added to resolve your issue now.
- Screenshot 2025-10-07 095434.jpg (368.52 KiB) Viewed 6200 times
Find the Automate Script (Habitat AD Password Expired Notifier) and edit line #35
In the SQL query section of script add the following to the end of SQL Query (AND userAccountControl & 2 = 0)
The entire SQL QUERY should look like
Code: Select all
SELECT * FROM plugin_p4a_habitat_expiry_email Where ClientID = %clientid% and CannotChangePassword = 'False' and passwordneverexpires = 'False' and IsDomainAdmin = '0' and Email <> '' and UPN <> '' and useraccountcontrol & 2 = 0;Re: Feature request for showing "Do not expire" users
Thanks for this. Thats a huge help.