I have been getting lots of questions from everyone, and that is great
This week I got a question from Charles,
“Hello Steve,
I have a problem, I need to run a VB Script that will tell users that their password needs to be changed in x days. The Windows 7 balloon is not effective, and users miss it. Also, I do not want it to slow down the login. So what options do I have left?”
This is an excellent question. Other versions of windows might not even tell you.
For example: A user could leave their system on for days and days, and then cross the threshold of the password expiration date – suddenly nothing works for them.
You know what that means – another call to the help desk!
I have a good trick to filling all of your requirements. I have translated them to:
1. Make sure the users logon is swift, and not interrupted by a password expiration notice (Especially because windows just told them about it!)
2. While they are using windows, make it clear that their password expired. Don’t depend on Windows to properly notify them.
3. Do all of this from a script, no extra programs required
I think we can make that happen. First, we need a script to see if and when the users password expires. I found one that Microsoft has provided, and I have modified it to suit our needs.
The script has one function – PasswordDaysLeft. You call it, and it returns the number of days left before the password expires. If the function returns 99999 then the password never expires.
For example, if we wanted to know that in 10 days or less the password would expire, we would call it like this:
if (PasswordDaysLeft() <= 10) then
MsgBox("Your password will expire in " & PasswordDaysLeft() & " days!")
end if
So now we have the ability to check for password expiration. But what about the original request? We don't want it to pop up at startup, but later.
Here is how we can get our script to do that:
We will loop in our script, and only check every 5 minutes. In addition, we will only start checking 20 minutes after the user logs in:
'Sleep for 20 minutes
WScript.Sleep(20 * 1000 * 60)
bRunning = TRUE
'20 minutes is up, check every 5 min to see if password is too old
while (bRunning)
if (PasswordDaysLeft() <= 10) then
MsgBox("Your password is about to expire. Please log off right now and change it")
bRunning = FALSE
end if
WScript.Sleep(5 * 1000 * 60)
wend
This will stay running until the password expires, or the user shuts down or logs off. Once the user is notified, it will exit and not bother them again.
Now we have most of what we need:
-A function that tells us how many days before a password expires
-A script to check it.
How do we get it to run in the background?
That is easy. From the users logon bat file we call our VB Script like this:
start wscript \\server\share\PasswordExpires.vbs
This tells the BAT file to fire up our script, but not to wait for it.
So here is what happens:
The user logs in, the script is launched into the background. It silently waits for 20 minutes, and then on 5 minute intervals it checks if the password expired. If it did, then the user gets a notification and it quits.
It think that covers everything. The logon is quick, since it launches our script in the background and lets the user get right to their business.
You can download the zip file with the VBS file, and an example BAT logon script here:
http://www.intelliadmin.com/PasswordExpires.zip
One more thing...Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools
{ 7 comments… read them below or add one }
This is an awesome trick Steve. I had no idea that you could let a script to run in the background like this.
Love it!
Related opinion: I hate password expiration warnings. Totally pointless. Just expire and be done with it. Don’t nag me for 10 days that its going to expire. Annoying.
Lew,
Totally agree. For fun one day go into group policy and set the password expiration to a short interval…like 7 days…and you will *always* get a “password is about to expire notification”!
I am interested to send email notification in outlook that account will expire in 10 days time , i know it can be done from the GPO by running a vb script , Steve, can you guide on this one too. I have no clue how to make a vb script for this purpose.
help appreciated!
Or, pick up an inexpensive copy of “Password Reminder PRO” from http://www.sysoptools.com – no mucking with scripts, runs as a service, and is not annoying to users like a vb-script generated notification. it also has a daily ‘heads up’ report for the helpdesk so they know what issues will pop up for the day and can handle them before a user (like the CEO) calls for help, and a nifty report console to manage all AD accounts. I’ve done my share of scripting and this is a hands-down awesome solution, and you never have to mess with it after deployment (which IMO is equally important, none of us have time to sit and mess with scripts all day).
—FWIW—
Also related: sysadmins hate when users nag before they ignore the password expiration warnings, so this is a good script.
Great script. I’m delighted to have found this. I’m migrating users from a 2003 Terminal server to a 2008 one, and the notification isn’t good enough.
I have amended it to suit me.
I replaced the line:
WScript.Sleep(5 * 1000 * 60)
with my line below, so that it just shows once per day:
WScript.Quit
I also changed the warning message displayed to tell the users “Your password is about to expire. Please Click on Start->Windows Security and Change Password”
Thank you so much; this was a headwrecker for me. Love the site! Glad I signed up to it.