LabTech Plugin : Expiry the AD Password Expiration Notifier

On May 28, 2015, in How-to, Scripting, by Cubert aka (Cube Dweller)


Are Your Users Expired?


Yes, It is Monday morning,  you walk into your office and the Help Desk lines are already lit up. Clients are calling with emergency lockouts and emails not coming in on their phones and computers. You know their passwords are expired and they didn’t see the desktop popup from Microsoft warning them it was coming. You now have to get busy resetting passwords to get these people back to work as fast as possible. Password expiration issues can account for up to 10% of the weekly tickets a MSP’s help desk has to manage and although it only takes a minute or two to fix that time adds up.  Here is where we come in.


Expiry AD is a plugin for LabTech that checks the Active Directory of any client to see what Domain User passwords maybe ready to expire, creates a list of the users expected expiration times and emails them a custom email notice to please update password when they come close to the limit you set for them. You can personalize each email to the user that is receiving it or have a generic global email that goes to everyone.




There is some basic information needed to complete the password expiration checks,

You will need to supply the AD server you want to scan, this should be an up to date AD server with Powershell 2 or higher installed. You will need to know how many days ahead of the expiration you want to send a notification and the LDAP root you want to look for users in.

Once this information is entered into the system and the apply button pressed the plugin will request if you would like to run a scan now. Scans will run daily on systems that are set to notify users automatically, just turn on the Notify Users switch at the top of the management window.

We supply a HTML capable Email Body template maker that will allow you to create unique emails that are personable to each user. Once you are finished you can view what your emails will look like by selecting the Email Viewer control. We have provided two wild cards for email templates @MYNAME@ and @DAYSLEFT@ which will allow you to personalize each email sent with the users full name and the current days left before expiration.



By selecting the [Results] tab yo can see the result of the last scan and who is in line to get emails. All user will be listed here and will show how many days left until they expire. Users marked in RED have expired or are with in the windows set by you for expiration emails.





Not all users of Active directory will show up in list or scans. We have some basic filters in place for the scanner that prevents non actionable users from showing up in scans.

For instance.

  1. Users who are set to never expire will be excluded
  2. Users who are disabled will be excluded
  3. User who are set to no be able to change password are excluded
  4. User who have no official Email address listed in directory are excluded

You will only get a return of people you can actually affect and emails will only be sent to users who can receive them and react. This limits the efforts needed by the Labtech system and provides for maximum coverage for the domain users.










Tagged with:

21 Responses to “LabTech Plugin : Expiry the AD Password Expiration Notifier”

  1. jh says:

    Looking forward to testing this but unfortunately I’m seeing an error when opening the plugin: “Loading AD sConfig ErrorObject reference not set to an instance of an object” Thanks for any updates

  2. jh says:

    restarting the db agent resolved this issue. Is there anyway to see what the text of the email?

  3. rgreen83 says:

    I would also like to see what the email says. Ideally we could customize it, like I want to use this for our hosted server clients so I need to include instructions how to change their password via rdp session. Looks great though!

  4. Ian Murphy says:

    Is there any way to customise the mail message? I’m in spain and when users here recieve a message in english they automatically assume its some sort of spam or fraud.

  5. We just had a huge release for Expiry, This plugin went from mild manured to overly extreme! A Total rewrite…..

    No more email servers needed, and thanks to Ian Murphy we have kicked the collection of users into overdrive.

  6. Jason Massey says:

    Thanks, Cubert! I was looking for something like this for one of our sites. As a suggestion for the next update: The ability to send a test email and the ability to BCC: an admin email.

  7. Terry Rossi says:

    Excellent work again Cubert – you continue to amaze us and hit the nail right on the head for issues that are plaguing us!

    I installed the plugin and it appears to be working correctly however the scans are not producing anything. Can you please share a powershell query that emulates what the plugin does so I can test on my AD server?

    Thanks Terry

  8. Jason says:

    It seems as if my parameters that i am putting in are not saving. Has anyone had any problems with this.

  9. Gary Porter says:

    Firstly, thank-you for all your work.

    This plugin will hopefully save me a large amount of effort.

    We are getting an stating that PS 3 is required on the latest version. Is this correct?

  10. Dan says:

    Get error on step 13 of script. It does not work but for each client…need it at Location level as a client is a company that may have many locations in which each would or could also have their own separate domain server.

  11. Jorge Rojas says:

    Hi Cubert,

    Great plug in!

    We also got that error on step 13 on our own site.

    Also on another site seemed to be working but when we tested it said an email went out but we never received it. How can we troubleshoot that? We do not know who is the sender or what server is sending it.



  12. James Parle says:

    Hi Cubert,

    A user on our domain is receiving password expiry notifications on a daily basis. The user in question ahs two AD accounts tied to his email address, but has reset the password for both accounts. Originally the alert was saying the user had -67 days remaining until expiring, now it is saying 0.


  13. rae says:

    Hi Cubert,

    We received this error System does not meet the minium requirments of Powershell 3.

  14. Shannon says:

    Update the powershell service to 3 on that system.

  15. Nic Lambert says:

    Hi Cubert, the script appears to run on our Server but does not produce the sql output file or anything else.

  16. Cubert says:

    Open up a forum post at and we will start working with you to see whats up.

  17. Dan says:

    Hi Cubert,

    I had a question for you, we tested this plugin and found that it works great.
    However, we were wondering if there was a way to get the emails to keep sending day after day until the password is updated?



  18. Jon says:

    Not getting any results from any clients

  19. Kathy Gilbert says:

    will this not work with Labtech 12? I am getting an error message when trying to load the plugin

  20. Chris Ryder says:

    A client of ours has decided on two different policies for two different groups, they are using PSOs in Active Directory Admin Center rather than a GPO because of the password length limitation in GPO. The plugin is only picking up the expiry information that was set through the GPO. Any idea why this may be?

  21. Ian Murphy says:

    You can only have a single password policy in a domain, only one of the two is going to be applying correctly

Leave a Reply