I setup a small domain here at the office recently so we could use it for Single Sign On. Over time, individual services have been converted to use that domain for authentication including things like VPN.
However, most of my users do not actually have workstations or laptops on the domain. This is because we a a majority Mac shop and the Windows PCs that are in use are mostly using a Home edition.
The first step was to get an email reminder out to everyone. I wrote a scheduled task that runs on my domain controller every morning at 6AM. The script I settled on was written and distributed by Justin Shin at 4sysops.com. It is called PowerPasswordNotify.ps1. It works quite well and only took minor tweaks for our environment. To fire off the script, I created a batch script that gets run by the Scheduled Task. The contents of that script are exactly:
"C:Windowssyswow64Windowspowershellv1.0powershell.exe" -executionpolicy Unrestricted -file "C:ApplicationsPPNPowerPasswordNotify.ps1"
The only AD related thing I had to do was make sure that everyone’s email was part of their AD account.
For those pesky Windows workstation users (of which I am one), I wanted to make sure they got a reminder as well. This can all be done with GPO.
The first GPO I set was the default password reminder. I edited the default policy for my whole domain and navigated in the Group Policy Management Editor to: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options .
I then found the “Interactive Logon: Prompt user to change password before expiration” policy. Double click to edit the policy. I then checked the define this policy setting and set the days to 14 days.
That works, you get a small pop-up in your task bar with a “Your password will expire in X days”. However, it is easily missed. I was looking for it – and it was not easy to see. So it is time to be more assertive. Time for a pop-up.
The best way to do this is put a VBS script that runs on logon.
I found a good script on the SpiceWorks Community for doing this password reminder pop-up. On my DC, I created a folder called C:DomainScripts. I then shared that folder as “DomainScripts$” so it is a hidden share. The permissions were to allow read-only to Everyone. I could access the share via \mydomain-dc1DomainScripts$ and run my password reminder script.
In order to get it to run on logon, I updated a Default Domain Group Policy. In the GPO Editor, I navigated to Computer Configuration -> Policies -> Administrative Templates -> System -> Login. Then I found the “Run these programs at user logon” setting and double clicked it. In the dialog, I enabled the policy, then clicked on the “Show…” dialog. I added the value pointing at the share and script above: “\mydomain-dc1.mydomain.privDomainScripts$password_reminder.vbs”.
Once this policy propagates, users will get a pop-up on logon from the running of the Password Reminder script (assuming they are in the reminder window).
VBS is not a trusted thing – even when it is shared off of the Domain Controller. The user will get a prompt asking if it is OK to run the VBS script. We need to set the DC to be a trusted source.
In the GPO Editor, navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page. Locate the “Site to Zone Assignment List” policy and double click it.
Enable the policy, then click the “Show…” button. It will be empty at this time. I put two shares in that dialog: “\mydomain-dc1” and “\mydomain-dc1.mydomain.priv”. Both have a value of “1” which means they are Intranet sites.
Now when the script runs, it will be trusted – because it came from the domain controller – and the user won’t get a warning pop-up before the actual password expire pop-up.
Now I just need to figure out how to get more workstations onto the domain so they will get the reminders so I don’t have to reset people’s accounts. all the time.