Users do not receive Password Expiration Reminder Emails
In this article we will review what to check if users are not receiving password expiration reminder emails from Specops Password Policy.
Password Expiration is handled exclusively by the Password Policy Sentinel installed on the domain controller holding the PDC Emulator role. If you are unsure which domain controller currently holds the PDC Emulator role, use the Active Directory PowerShell module from any domain controller. The following command will return the name of the domain controller we need to look at for password expiration.
get-addomain | select PDCEmulator
Password Policy 7.12
Inspect the Windows Application event log on the PDC emulator. There should be several events from source Specops Password Sentinel Service logged within the past 24 hours. Event ID 1073 indicates that user counting has started. Following that will be one or more events with event ID 1186. Check each one and identify the one with the message that begins with [PasswordExpiration]:
Password Policy 7.6 to 7.11
Note: Beginning with Password Policy 7.6, the user counting (periodic scanning) and password expiration email process has been moved to the Specops Password Sentinel Service on the PDC.
Inspect the Windows Application event log on the PDC emulator. There should be several events from source Specops Password Sentinel Service logged within the past 24 hours. Event ID 1073 indicates that user counting has started. Following that will be one or more events with event ID 1104. Check each one and identify the one with the message that begins with [PasswordExpiration]:
Password Policy 7.5 and Earlier
Inspect the Windows Application event log on the PDC emulator. There should be three events from source Specops Password Policy Sentinel with event IDs 100,106, and 107 within the past 24 hours:
Event ID 107 should include a count of the number of users affected by Specops Password Policy as well as the number of users whose passwords either expired or were within the threshold to issue expiration warning emails, e.g.:
All Versions
The default polling time is midnight local time. The time is also randomized slightly to avoid running exactly at midnight; it may have also been set to a custom polling time. Refer to this article for your particular version’s method: https://env-specopssoftcom-premstaging.kinsta.cloud/knowledge-base/specops-password-policy/user-counting-has-been-renamed-to-periodic-scanning/.
If no events are recorded, verify the Specops Password Sentinel Service on the PDC is started.
If the report indicates a lower number of expiration emails sent than expected, use Password Auditor to verify expected password expiration times.
If the report shows emails sent but some or all were not received, check the event logs on the PDC for additional errors/warnings. Also check the logs on your SMTP server.
If you do see Event ID 107,1104, or 1186, but the number of emails sent is 0 or if specific users do not receive emails:
- Double check your threshold for password expiration as well as when users passwords are actually set to expire. https://env-specopssoftcom-premstaging.kinsta.cloud/knowledge-base/specops-password-notification/understanding-active-directory-password-expiration-with-specops-password-policy/
- Check for additional events logged by Specops in the Windows application event log that might indicate an issue with email delivery
- Double check your mail server configuration and logs for any issues with mail delivery