You Must Configure A Domain Controller before any AD scans start
The tool is available in the Client Console as a tab called "Habitat AD Passwords Expired"
- ExpiryConsoleTab.jpg (34.87 KiB) Viewed 89 times
Using the configure button:
Select from available Domain controllers in the list provided. If no domain controllers are listed then we are not seeing any Windows Active Directory servers for that client.
How many days to notify before expired? This sets the numbers of days before the users password expires that the automated service should send the given email to user.
The LDAP directory root is not required, the scanner will find the root domain and search for all users in the available OU's
The email body is where you can craft a HTML based email that will be used to let the user know the passwords about to expire. You can put in any HTML code you like and then use the email viewer to see how it will appear to the users. We have 2 master variables you can add to your email ( @MYNAME@ and @DAYSLEFT@ ). These 2 variables allow you to dynamically embed the current name of the user and their number of days left so that emails are personalized to the user receiving them.
- expiryClientview-Configure.PNG (98.53 KiB) Viewed 106 times
Client Console Tab View
This is how it works:
In the main console, select the configure button to configure your domain controller. If you are not configured at all then no automated scans will be run on the client. The "Notify Users" switch at the top of Client view turns on and off the emailing of users but not the Active Directory scans. This means you can use the plugin just to capture the data for your review without any notifications.
Monitoring scans are scheduled twice daily on the Windows Domain Controller you select in the configuration of plugin. Emails are sent once on the day(s) before the expiration after 12 pm. For the scans to work they require Powershell version 3 or greater.
Once configured and the first scan has completed you should see users. The scans are preformed by a scheduled script. Executiong a scan manually may take some time depending on how fast your domain controller is checking in with Automate.
Whats the requirements thing?
The emails only look for a particular group of users that meet a given set of requirements. These requirements help filter out users that would otherwise not benefit from this service.
For users to show in the "Email Users" list
- Users must have a password that will actually expire! If user is set to "Never Expire" they will not show up here in list.
- User must be able to update or change their passwords! If user is set to "Cannot change password" then they will not show up in list.
- User must have the "Email" property set with a valid email. This is outside of the "UPN" property setting that is given when users are added to directory
You can select a user from the main view and send a single direct email to them as a manual process that will be executed on the Domain Controller with in a few minutes.
- expiryClientview.PNG (83.61 KiB) Viewed 106 times
User Issues
User that can not have email notifications sent to them are listed here. User will have "Cannot Change Password" enabled, "Password Never Expires" is enabled, or the user is missing the "Email " property not set to a email address.
- expiryClientview-userIssues.PNG (78.81 KiB) Viewed 106 times
Domain Admins
The Domain Admins view displays all users that are a member of the domain admins group. The domain admins may have "Cannot Change Password" enabled, "Password Never Expires" is enabled, or the domain admin maybe missing the "Email " property.
- expiryClientviewDomainAdmins.PNG (74.21 KiB) Viewed 106 times