Pricing  Get Quote
 
 

Knowledge Base

Self Service Password Management » Knowledge Base

Password expiration notification not delivered

In this article

Issue description

ADSelfService Plus provides password expiration notifications to alert users before their passwords expire and help prevent account lockouts. However, in certain scenarios, these password expiry notifications may not be delivered effectively to end users. Listed below are the possible causes for this issue.

Possible causes

  1. SMTP server error: The SMTP server may encounter errors such as connectivity issues or reaching the maximum limit for sending emails, which can prevent notifications from being delivered.
  2. Corresponding attribute not found: The required attribute configured for notifications may be empty in the AD user account. Even if the user is included in the notification policy, missing or invalid attribute values can prevent password expiration notifications from being delivered.
  3. User not included in the specified OU or group: Password expiry notifications may be configured for specific domains, organizational units (OUs), or groups, and the affected user may not be part of the defined scope.
  4. PSO retrieval permission issue: This issue can occur if the service account configured in Domain Settings does not have sufficient permissions to read Password Settings Objects (PSOs) in Active Directory when fine-grained password policies (FGPPs) are configured.
  5. Advanced settings misconfiguration: Exclusions enabled in the Advanced settings (such as non-enrolled users, disabled accounts, or smart-card-enabled users) may unintentionally exclude eligible users from receiving password expiry notifications.
  6. MSSQL-dump-related issue: Password expiration notifications may be affected if the service account used to access the MSSQL database does not have the required bulkadmin server role in Microsoft SQL Server, which can cause bulk database operations to fail. Without successful database access, ADSelfService Plus cannot read the password data needed to calculate expiry dates, which can prevent password expiration notifications from being delivered.
  7. Retry option not enabled for failed notifications: If notifications are scheduled as one-time alerts for specific days and the retry option is not enabled, any initial delivery failure will result in the notification not being resent.

Resolution

Case 1: SMTP server error

  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to the Configuration tab. Under Self-Service, select Password Expiration Notification and locate the configured scheduler.
  3. Check Last Run Report to view the most recent execution details.
  4. Review the reported SMTP error and troubleshoot the issue based on the error message, such as configuration issues, authentication failures, or email-sending limit restrictions.
    Steps to check SMTP errors using the Last Run Report in password expiration notifications.
    Figure. 1: Details for reviewing SMTP error details in the password expiration notification scheduler.

Case 2: Corresponding attribute not found

Password expiration notifications depend on specific Active Directory attributes:

  • mail attribute: Used for email notifications.
  • mobile attribute: Used for SMS notifications.
  • mail attribute: Used for identity verification during ADSelfService Plus mobile app enrollment, which enables push notifications.

If these attributes are empty, invalid, or improperly formatted in the user’s Active Directory account, notification delivery will fail.

  1. Navigate to the Configuration tab.
  2. Under Self-Service, select Password Expiration Notification and locate the configured scheduler.
  3. Click Last Run Report to view the most recent execution details.
  4. Check whether the report indicates a delivery failure due to an invalid or missing attribute. If so, verify that the required attribute (mail or mobile) is updated in the affected user’s Active Directory account.

    5. Note: The administrator can manually update the required attribute in Active Directory.Alternatively, users can update their contact details using the Directory Self-Update feature in ADSelfService Plus.

Case 3: User not included in the configured scope

If the user is not part of the configured domains, OUs, or groups, password expiration notifications will not be applied to that user.

Step 1: Identify the user’s OU and group membership

Before modifying the scheduler scope, verify where the user is located in Active Directory.

Option A: Using Active Directory Users and Computers

  1. Open Active Directory Users and Computers.
  2. Search for the affected user
  3. Check the following:
    • The OU location
    • The Member Of tab to view group memberships.

Option B: Using ADSelfService Plus Employee Search

  1. Log in to ADSelfService Plus.
  2. Use the Employee Search option to locate the user.
  3. Verify the user’s domain, OU, and group membership details.

    4. Once the correct OU and groups are identified, ensure they are included in the notification scheduler scope.

Step 2: Update the notification scope

  1. Navigate to the Configuration tab.
  2. Under Self-Service, select Password Expiration Notification.
  3. Locate the configured scheduler and click Edit.
  4. Under the Select Domain section, choose the required domain.
  5. Select the appropriate OUs and groups that include the affected user.
  6. Save the changes to update the notification policy
    Steps to select domains, OUs, and groups in the password expiration notification scheduler.
    Figure. 2: Details for configuring the notification scope in the password expiration notification scheduler.

Case 4: PSO retrieval permission issue

  1. Navigate to the Configuration tab. Under Self-Service, select Password Expiration Notification and locate the configured scheduler.
  2. Click Last Run Report to view the most recent execution details.
  3. Review the report to check whether there are errors related to retrieving PSOs.
  4. If such errors are reported, verify that the service account configured in Domain Settings has sufficient permissions to read PSO objects in Active Directory.
  5. If the required permissions are not present, grant Read permissions for the following objects using Active Directory Users and Computers through the Delegate Control option:
    • Open Active Directory Users and Computers.
    • Right-click the domain or the container where the password settings objects are stored and select Delegate Control.
    • Click Next, then click Add and select the service account configured in ADSelfService Plus Domain Settings.
    • Click Next and select Create a custom task to delegate.
  6. Select Only the following objects in the folder, and choose the following object types:
    • msDS-PasswordSettings
    • msDS-PasswordSettingsContainer
  7. Click Next, select Read permissions, and complete the delegation.

    Note: For detailed permission requirements, refer to the Display fine-grained password policy section in the permissions guide .

Case 5: Advanced settings misconfiguration

Follow the steps below to ensure that eligible users are not unintentionally excluded from receiving password expiration notifications:

  1. Navigate to the Configuration tab. Under Self-Service, select Password Expiration Notification
  2. Locate the Advanced settings of the configured password expiration notification scheduler.
  3. Review the exclusion settings and verify the following:
    • Non-enrolled users:
      • Check whether notifications are excluded for non-enrolled users.
      • If enabled, verify the user’s MFA enrollment status using the MFA Enrolled Users report.
      • Enroll the user for MFA, if required, to ensure notification delivery.
    • Disabled users:
      • Verify whether notifications are excluded for disabled users.
      • Ensure that the affected user account is enabled in Active Directory so notifications can be sent.
    • Smart card users:
      • Check whether the Exclude Smart Card users option is enabled.
      • If smart-card-enabled users need to be included, this option can be disabled
  4. Click Save to apply the changes.
    Steps to disable the “Exclude Smart Card users” option in the password expiration notification scheduler.
    Figure. 3: Details for modifying Advanced Settings in the password expiration notification scheduler to include smart card users.

Case 6: MSSQL-dump-related issue

Navigate to the Configuration tab. Under Self-Service, select Password Expiration Notification and locate the configured scheduler.

Normally, you would check the Last Run Report for errors. However, for an MSSQL dump issue, the report may appear empty because the scheduler cannot write to the database due to insufficient permissions.

To troubleshoot:

  1. Verify the database configuration by checking the database_params.conf file located in the <installation_directory>\ conf directory
  2. Determine the authentication mode:
    • SQL Authentication: The username specified in database_params.conf is used for database operations.
    • Windows Authentication: The user account running the ADSelfService Plus service is used to access the database.
  3. Ensure that the respective account has the bulkadmin server role in Microsoft SQL Server. Without this role, bulk database operations may fail, preventing ADSelfService Plus from writing password expiration data, which in turn causes notification failures.
  4. If the required role is missing, grant the bulkadmin server role to the respective account in Microsoft SQL Server.

Case 7: Retry option not enabled

If the retry option is not enabled, password expiration notifications that fail on the scheduled day will not be resent. Notification delivery may temporarily fail due to:

  • Brief network interruptions between ADSelfService Plus and the mail or SMS server
  • Temporary mail server unavailability
  • Short-lived DNS resolution issues
  • Active Directory replication delays (recent attribute updates not yet replicated across domain controllers)
  • Mail server restrictions (bulk mailers)

To ensure notifications are not missed due to temporary failures:

  1. Navigate to the Configurationtab. Under Self-Service, select Password Expiration Notification.
  2. Locate the configured scheduler and click Edit.
  3. In the configured scheduler, click the Advanced option.
  4. On the page that opens, locate the option Retry notification if scheduler fails to notify users on configured day .Enable this option by checking the box.
  5. Click Save to apply the changes.

    Enabling this option ensures that notifications that fail due to temporary environmental issues are retried during the next configured schedule, reducing the risk of missed password expiry alerts.

    Steps to enable the retry option for failed password expiration notifications.
    Figure. 4: Enabling the retry notification under Advanced settings in the password expiration notification scheduler.

Validation and confirmation

By following these steps, you can ensure the successful delivery of password expiration notifications. To validate delivery, send a test notification and check the delivery status in the Password/Account Expiry Notifications Delivery Report. To access the report, navigate to the Reports tab. Under Password Self-Service Report, select Password/Account Expiry Notifications Delivery Report.

How to reach support

For further assistance, contact our support team here.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

« Home
Knowledge Base »

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products