UMRA: monthly password expiration

In Active Directory networks where security is important, you might want to introduce monthly password expiration to a special group of user accounts. Let’s say you have 5000 employees, of which 1000 users are working in a retail environment, which is security-sensitive. You only want to apply monthly expiration to the 1000 users, so a domain-wide AD policy is not a valid option. Also, when you expire the passwords of 1000 users on a specific day, you will get a massive helpdesk load, so you want to balance the load over the month. The solution is a smart UMRA automated process:

  • Query the 1000 users you want to include in the operation
  • Loop through each user and get a good name value (lastname or smtp address)
  • Map the first character of the name value to a day number (alphabet position)
  • If the day number equals the current day number => password change at next logon
  • Send a warning e-mail to the users who’s password will be reset within 5 days

The number of resets won’t be exactly 1000 / 26 = 38, since some letters are more common than others. However, you can predict who’s password is going to expire since you know the letter of the day. At the time of writing, it’s day number 11, so that means everybody who’s name starts with a “k” will be processed.

Geschreven door:

Arnout van der Vorst

Arnout van der Vorst is Identity Management Architect bij Tools4ever en al ruim 10 jaar in dienst. Arnout legt zich als Architect toe op het bedenken en ontwikkelen van nieuwe features, oplossingen en diensten van Tools4ever die aansluiten op de vraag uit de markt. Arnout studeerde Hogere Informatica aan de Hogeschool van Utrecht.