AD Users | Send Password Expiration Notification rule
This rule queries Active Directory and sends e-mails to enabled users with passwords expiring in a specified number of days and/or expired passwords. You should enforce this rule to run once daily.
NOTE: Default URLs use HTTPS due to Cayosoft’s requirement to use SSL on all Cayosoft websites. Failure to enable SSL on your Cayosoft servers will cause the link sent in this e-mail to fail when users click the link.
Description
You can use this rule if you would like to achieve one of the following outcomes:
Warn users about password expiration.
Reduce the time help desk team spends on password-related support tickets.
Get reports on user account passwords that are about to expire.
Get reports on user account passwords that have already expired.
Define when and how many times to remind the domain users about their expiring and expired passwords. Refer to the following scenarios:
Send notification daily starting from a defined number of days before the password expiration date.
-
Send notification only on specified day intervals, e.g., when it is 15,10,5,4,3,2,1 days before the password expiry.
IMPORTANT: To send emails only on specified days intervals, set the Store the notification timestamp with the user account in AD to Yes.
Send notifications to notify users indefinitely, as long as the password is expired.
After the rule is configured, users with expiring passwords will get emails with the link to the Cayosoft Administrator website.
You should delegate the required set of permissions to users to enroll and use the Self-Service section. You also should define end-user questions and set a data-encryption password. See Delegate access to Self-Service Password & Profile management and Сonfiguration of Self-Service password & profile management articles.
Rule Settings
| Setting name | Description |
|---|---|
| Query section | |
| Limit scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to a specific OU. IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature. |
| AD query criteria |
Query criteria are sent with the query and may improve query performance. IMPORTANT: In addition to the defined query, user accounts must meet the following conditions:
|
| Filter AD query results |
Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting. Example: filter by the found object Distinguished Name. TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible. |
| Days before users are notified that their password will expire |
This setting can be a single integer value or a specified day intervals, e.g., 15,10,5,4,3,2,1:
IMPORTANT: To send emails only on specified days intervals, set the Store the notification timestamp with the user account in AD to Yes |
| Store the notification timestamp with the user account in AD |
Store a timestamp of each successful notification with the corresponding user account in Active Directory. This information is used to prevent duplicate notifications and for tracking and reporting purposes. IMPORTANT: This setting must be set to Yes to send emails only on specified day intervals. In this case, users will get notifications only one time per interval. And if you use just a single value as a number of days, this setting is not applied and users will get notifications each time when the rule runs (or rule preview), and users have fewer days than the specified value before password expiration. |
| Include users with passwords already expired | Notify the users with expired password in addition to the users with expiring passwords. |
| Properties to display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. To display additional columns, add the required properties to the Properties to display list. To add extension attribute 1 that is synchronized from AD, you need to use a value like:
Copy
|
| Action section—Message settings for users with password about to expire | |
| User email attribute |
Specify an attribute to pick an email from:
|
| To User |
Specify an email to send the email to:
|
| CC, BCC | Specify an address to send a copy of the email to. |
| From |
Specify an address to receive emails from:
|
| Subject |
Specify the email subject. TIP: It is possible to customize email subject by using different tokens, see Customizing an automation rule or web action output email. |
| Message |
Specify the message text. TIP: It is possible to customize email subject by using different tokens, see Customizing an automation rule or web action output email. |
| Attachment | You can select a file to attach to the Password Expiration Notification email. |
| Action section—Message settings for users with expired password | |
| Same as for users with password about to expire | Use the settings specified for the users with password about to expire or introduce different settings for users with expired password. |
| Send notifications max days after password expired | Specify the maximum number of days to send an e-mail about already expired passwords. Set to 0 to notify users indefinitely, as long as the password is expired. |
| Action section—Other options | |
| Limit the number of emails sent per minute |
Set the limit on the number of emails sent per minute by this rule. The default limit for Office 365 SMTP gate is 30 emails per minute. NOTE: Change the default value by navigating to Home > Configuration > Settings > Email Settings (SMTP). |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Comments
0 comments
Article is closed for comments.