In Active Directory networks where security is important, you might want to introduce monthly password expiration to a special group of user accounts. Let's say you have 5000 employees, of which 1000 users are working in a retail environment, which is security-sensitive. You only want to apply monthly expiration to the 1000 users, so a domain-wide AD policy is not a valid option. Also, when you expire the passwords of 1000 users on a specific day, you will get a massive helpdesk load, so you want to balance the load over the month. The solution is a smart UMRA automated process:

  • Query the 1000 users you want to include in the operation
  • Loop through each user and get a good name value (lastname or smtp address)
  • Map the first character of the name value to a day number (alphabet position)
  • If the day number equals the current day number => password change at next logon
  • Send a warning e-mail to the users who's password will be reset within 5 days

The number of resets won't be exactly 1000 / 26 = 38, since some letters are more common than others. However, you can predict who's password is going to expire since you know the letter of the day. At the time of writing, it's day number 11, so that means everybody who's name starts with a "k" will be processed.