Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.
Edit

On-Premises Active Directory Password Expiration Alerts Crate

If you’re new to Crates, read through our introductory Crate documentation here. Find the Crate in our Crate Marketplace.

What does the On-Premises Active Directory Password Expiration Alerts Crate do?

Our On-Premises Active Directory Password Expiration Alerts Crate automates the process of monitoring password expiration for on-premises Active Directory users, ensuring that users are notified well in advance. By sending timely email alerts, it helps maintain security and minimizes disruptions by prompting users to update their passwords before they expire.

This workflow is designed for on-premises Active Directory only. It does not monitor or interact with cloud-based directories like Entra ID. This Crate doesn't perform password resets; it only sends notifications. Users must update their passwords manually through the appropriate channels. The workflow does not provide real-time alerts. There may be a slight delay between when a password expiration is detected and when the notification is sent.

How the Crate works

  • Automatically checks for user passwords expiring in 14, 7, 3, and 1 day, ensuring users are well-informed ahead of time

  • Sends email alerts to users, reminding them to change their passwords before the expiration date, reducing the risk of account lockout

  • Ensures that passwords are updated promptly, reducing the likelihood of unauthorized access due to expired passwords

  • Streamlines the password management process, lowering the frequency of IT support tickets related to password issues and freeing up resources for other critical tasks

The workflow is initiated by a scheduled task that runs a PowerShell script at predefined intervals.

If Rewst's PowerShell interpreter tool is installed, Crate workflows which have multiple-system dependencies will have increased efficiency with faster and more consistent cloud-native executions that are completed in seconds.

Workflow breakdown

  1. The workflow is initiated by a Cron trigger, which runs the workflow on a scheduled basis once activated.

  2. The first action, begin, executes a noop action that serves as the entry point of the workflow and immediately transitions on success to the next step.

  3. The action check_expiring_passwords runs the On-Prem: Run PowerShell on Org Domain Controller subworkflow, which executes a PowerShell script on the organization's domain controller to retrieve a list of users whose passwords are approaching expiration. The result is published into the workflow context as expiring_passwords.

  4. If the PowerShell execution fails, the workflow transitions to the failure_getting_expired_passwords action, which is a terminal noop action that ends the workflow on that failure path.

  5. If the PowerShell execution succeeds, the workflow moves to a second action also named check_expiring_passwords, which uses a noop action to evaluate whether any expiring passwords were actually returned. This action normalizes the data into a consistent list format via a data alias on its transition, handling both single-result and multi-result responses. If only one result is returned, it wraps it in a list. For each entry, if the user has no email address on file, it falls back to the organization variable password_expiry_crate_admin_email as a default recipient.

  6. If no expiring passwords were found — meaning the output is null or empty — the workflow transitions to the no_expiring_passwords action, which is a terminal noop action that ends the workflow gracefully with nothing to do.

  7. If expiring passwords were found, the workflow transitions to the check_email action, which is a noop action using a "follow first" transition mode to determine whether any of the expiring password records have a valid email address.

  8. If at least one record has a non-null email address, the "Found" transition fires and the workflow proceeds to the alert_user action. If none of the records have a valid email address, the "Not Found" transition fires and the workflow proceeds to the email_not_found action instead, which is a terminal noop that ends the workflow.

  9. The alert_user action executes the sendmail action using a with-items loop that iterates over every entry in the expiring passwords list with a concurrency of one. For each user, it sends an email from "noreply" with a subject line indicating how many days remain until the password expires, and the message body is rendered from a stored template.

  10. After all emails have been sent, the workflow transitions to the end action, which is a terminal noop action that marks the successful completion of the workflow.

Crate prerequisites

One of the following RMM integrations must be set up before unpacking this Crate:

The following must be set up before unpacking this Crate:

Unpack the On-Premises Active Directory Password Expiration Alerts Crate

  1. Navigate to Marketplace > Crates in the left side menu Rewst platform.

  2. Search for On-Premises Active Directory Password Expiration Alerts.​

  3. Click on the Crate tile to begin unpacking.

  4. Click Unpack Crate.

  5. Click Continue.

  6. Enter Time Saved under Crate Configuration.

  7. Ensure that Enabled is toggled on under Configure Triggers. Note that you have the option under the Cron Job accordion menu to activate the Crate for all future organizations in addition to the current one. You may also set trigger criteria or integration overrides.

  8. Click Unpack.

Test the Crate

Since this workflow sends real emails to real users, consider testing against a smaller organization or one where you control the mailboxes, so you don't accidentally notify end users during your test run. Alternatively, you could temporarily mock the alert_user task to prevent emails from going out while you validate the rest of the flow.

  1. Navigate to Automations > Workflows in the left side menu of your Rewst platform.

  2. Search for Alert: Password Expiry - Notify End User.

  3. Click on the workflow to view it in the Workflow Builder.

  4. Click Test.

  5. Click Run Test to confirm.

  6. You'll see a green success message at the top of your screen if the execution is successful. You'll see a red failure message if the execution fails. Click View Results for a more detailed breakdown of each.

  7. Confirm that the check_expiring_passwords task successfully connected to the domain controller and returned data. If it failed, check that your RMM integration is properly configured and the domain controller is reachable.

  8. Check your inbox or the inbox of the test users to confirm the password expiry notification emails were actually delivered.

  9. If no passwords are currently expiring in your environment, the workflow will follow the No Expiring Passwords path of the workflow, and end cleanly at the no_expiring_passwords task. This is still a successful test, but there was nothing to alert on.

Organization variables associated with this Crate

For more on organization variables and how to use them, see our org variable documentation here.

Organization variables not found in our standard organization variables documentation, such as the ones listed below. are typically system variables that are handled by integration mappings.

If you haven't done so already, we recommended that you run the Configure Organization Variables Crate, which will help you set org variables that are relevant to you and your customer's environments.

The organization variable password_expiry_crate_admin_email must be set if you want a fallback email address for users who don't have one on file. You can check this under the organization variable menu in Rewst.

Got an idea for a new Crate? Rewst is constantly adding new Crates to our Crate Marketplace. Submit your idea or upvote existing ideas here in our Canny feedback collector.

PreviousOnboard or Offboard a Device CrateNextOpenText Core Endpoint Protection: Create Ticket from File Detection Crate

Last updated

Was this helpful?