Password Exipre Message

Trying to get the message for end user if password expire via bigfix action and message option but not getting.

is there any other way??

So off the top of my head, the issue may be due to 1 of 2 reasons (or both):

1. Launching a windows application that needs to interact with the desktop (i.e. display a windows-application GUI) requires the process that starts the application have the interact with desktop permission which BESClient.exe does not have out-of-the-box (at least that was the case in the past, but may not hold true anymore). Enabling this capability does introduce a potential security risk and in general is considered against best practices. This is the reason there is a BESClientUI.exe process in addition to BESClient.exe.

2. The start command may not be able to identify the correct application to spawn based upon the provided argument. You may need to provide the entire command line to open a web browser (like IE) and have it open the HTML file. This in itself may be an issue as some security policies prevent browsers from opening local files, or treat local files as downloads and prompts the user to download the file instead of displaying the contents (I have seen multiple variations on this).

With the override for ‘runas=currentuser’ the batch should execute in the user’s context.

However it will still be hidden because of the override for ‘hidden=true’. That should be set to False.

Hi script goes well , but it does not print the password expire days left

override wait
hidden=false
completion=job
RunAs=currentuser
wait c:\temp\pass_expire.bat


image1192×335 8.52 KB

you have a double {{

without it {{ for password relevance it through substitution error ? not sure why not for other commands

{name of drive of windows folder}
{maximum password age of security database}
{{maximum password age of security database - password age of users of logged on users}
{name of logged on user whose (active of it = True)} days. Please change your password.


image1134×291 8.99 KB

For this, might I suggest not reinventing the wheel as a better solution?

Microsoft provides a GPO setting that will do this natively. The setting is “Interactive Logon: Prompt user to change password before expiration”

Upon logging in, the user will see a popup similar to this:

If you don’t want to configure this using a GPO, you can do the same via a registry key (start prompting user 5 day’s out)

regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]" "PasswordExpiryWarning"=dword:00000005

I think your substitution error in

{maximum password age of security database - password age of users of logged on users}

is because you are attempting to subtract a plural from a singular.

try:

exists logged on user whose (maximum password age of security database - password age of it / day > 50)

I think the comparison is the wrong way round - the message would be fired when the password age was low, not high.

Also, on machines with multiple logged on users, any one of them with an aging password would cause ‘innocent’ users to get the message.

This just has the feel of trying to get Bigfix to do something that the OS should already provide. Domain attached Windows boxes certainly have this facility (as @Mike references)

I seem to have missed an object in my string and a set of parenthesis.

q: exists logged on user whose ((maximum password age of security database - password age of user of it )/ day < 5)
A: False