FIM: Send Password Expiration Notifications

Published on Sunday, October 10, 2010 in ,

Recently someone asked on the TechNet forums if FIM was capable of sending notifications when someone’s password was about to expire. Brian Desmond replied with a short overview of the necessary steps, and I thought Id just try it out. Below is a step by step guide, feel free to comment and suggest improvements.

[Update2] Brad took the time to write a nice wiki article regarding this topic. I definitely advise you to read it as it’s way more complete and explained very thoroughly.

[Update] Jorge responded in the thread on the TechNet forums and made a good remark: this scenario is only 100% reliable when the DFL is 2003 are lower. It will work in a 2008 or higher DFL, but then you’re potentially facing Fine-Grained Password policies, which make this stuff more complex, but not undoable. Stay tuned for a solution to tackle this problem!

  1. Create a new MV attribute for the Person object
    • Attribute name: pwdLastSet
    • Atttribute type: String (indexable)
  2. Create a new attribute in the FIM Portal Schema
    • Administration –> Schema Management –> All Attributes –> New
    • System name: pwdLastSet
    • Display name: Password Last Set Date
    • Data type: Datetime
    • Finish –> Submit
  3. Create a new binding for the attribute
    • Administration –> Schema Management –> All Bindings –> New
    • Resource Type: User
    • Attribute Type: Password Last Set Date
    • Finish –> Submit
  4. Update Synchronization Engine MPR
    • Management Policy Rules –> Search for “Synchronization: Synchronization account controls users it synchronizes
    • Click it –> choose Target resources tab
    • Click the browse button next to the “Select Specific Attributes”
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  5. Update the Administrator MPR
    • Management Policy Rules –> Search for “Administration: Administrators can read and update Users
    • Click it –> choose Target resources tab
    • Click the browse button next to the “Select Specific Attributes”
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  6. Update Administrator filter permissions
    • Administration –> Filter Permissions –> Administrator filter permissions
    • Permitted filter permissions
    • Click the browse button next to the Allowed Attributes
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  7. Refresh the FIM Service MA schema
    • In the Synchronization Manager: right click the FIM MA and choose refresh schema
  8. Configure the FIM Service MA to flow pwdLastSet
    • Double click the FIM MA and choose Select Attributes
    • Select pwdLastSet
    • Now choose Configure Attribute Flow
    • Create an export flow for the Person Object Type: pwdLastSet (FIM)– pwdLastSet (MV) (Export, allow null)
  9. Create a rules extension (custom Import Attribute Flow) for the AD MA:
    • The code:

      Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry, ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport
              Select Case FlowRuleName
                  Case "IAFupdatePwdLastSet"
                      If (csentry("pwdLastSet").IsPresent) Then               
                      If (csentry("pwdLastSet").Value <> "0") Then
                          Dim dtFileTimeUTC As DateTime = DateTime.FromFileTimeUtc(csentry("pwdLastSet").IntegerValue)
                          mventry("pwdLastSet").Value = dtFileTimeUTC.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'")
                      End If
                    End If
                   Case Else
                      Throw New EntryPointNotImplementedException()
              End Select
          End Sub

    • A screenshot: 
  10. Configure the AD MA to flow pwdLastSet
    • Double click the AD MA and choose Select Attributes
    • Select pwdLastSet
    • Now choose Configure Attribute Flow
    • Create an advanced import flow for the Person Object Type: pwdLastSet (AD) – pwdLastSet (MV), extension: IAFupdatePwdLastSet
  11. Create a set in the Portal which will hold all accounts having a password which will expire in 5 days
    • Sets –> New
    • Name: Demo Password Expires in 5 days
    • Enable criteria-based membership in current set
    • Select user that match all of the following conditions:
    • Password Last Set Date prior to 55 days ago
      (in my example passwords must be changed every 60 days, and I want to warn them 5 days ahead, it’s just an example)
    • Finish –> Submit
  12. Create an email template for the notification
    • Administration –> Email Template –> New
    • Name: Password Expiration Notification
    • Subject: Password for [//Target/AccountName] will expire in 5 days
    • Body:

      The password for your Account ([//Target/Domain]\[//Target/AccountName]) will expire in 5 days.
      You can reset the password in the option panel of the webmail (https://webmail.demo.local)

  13. Create a workflow to send the notification
    • Workflows –> New
    • Workflow Name: Demo Password Expiration Notification
    • Workflow Type: Action
    • Activities: select notification
    • Recipients: click lookup, select target and click ok. It should fill in [//Target] for you
    • Email Template: Password Expiration Notification
    • Save –> Finish –> Submit
  14. Create an MPR to trigger the notification
    • Management Policy Rules –> New
    • Display Name: DEMO Password Expiration Notification
    • Type: Set Transition
    • Transition Definition:
    • Transition Set: Demo Password Expires in 5 days
    • Transition Type: Transition In
    • Select the workflow we just created (Demo Password Expiration Notification)

Whenever the password will expire in 5 days, the user should get an email like the example below:


About the datetime data type in the FIM Portal: Contributing datetime values to the FIM Portal

Related Posts

20 Response to FIM: Send Password Expiration Notifications

09 December, 2010 14:15

Is it requried to be added the pswdlastset attribute in Inbound sync rule?
when I am trying to add it in Inbound Sync rule getting error "the type of pwdLastSet(Integer) is not compatible with type of pwdLastSet(string)"
Can you pls help with this error? Thanks in advance

09 December, 2010 17:59

Hey Anand,

The mapping of pwdLastSet(Integer,AD) to pwdLastSet(String,Metaverse) is handled by the rules extension code (step 9 and 10). It cannot be handled by a regular one to one inmport attribute flow (IAF).


10 December, 2010 15:52

Thanks Thomas for quick reply.
Actually I was missing step no 8 Configure the FIM Service MA to flow pwdLastSet . After configuring FIM MA with this att flow everyhting is working fine as expected.
Thanks once again for nice article & help.

14 December, 2010 20:01

I can choose //Target in the email notification section, but I cannot choose another user or their email address. Do you know why?

14 December, 2010 21:15

I'm not sure you can add real emailaddresses there (user@domain.com). But you can add multiple users for sure.

I just retried it, either you split them with a ";" and resolve them using the green check mark. Or use the "lookup" or "browse" button. You can mix stuff like "//target" with regular users in the portal.

Does that answer your question? Or can you provide some more explanation as to what is going wrong?

25 January, 2011 14:03

Hello Thomas
One more query. I have few users (mostly service account) where password never expire is set. Those account are also part of this set & email will get trigger for those acocunts as well.

Can we avoid this? One option is that do not sync such accounts to FIM, but I don't want to use that option.

Pls advice..Thanks in advance

Anand K

31 January, 2011 10:31

found this article on how to filter accounts which have set for password never expire


But I am not clear on "Extract the ADS_UF_DONT_EXPIRE_PASSWD bit from userAccountControl and contribute to the FIM Service "

31 January, 2011 19:52


Sorry for the late reply, I've been quit busy lately.

Just like I provided some custom code in step 9 of this article, Brad provides some code to extract the ADS_UF_DONT_EXPIRE_PASSWD from the userAccountControl attribute.

In fact you can copy paste Brad's code in the same method (MapAttributesForImport) as a new case. All you have to do then is update your AD MA to callt his rule extension. And eventually make sure you flow your extracted value from the MV to the Portal using the FIM MA.

Hope that clears up the fog a bit.

11 February, 2011 06:46

I m still struggling with code given by Brad. Not able to build dll out of it. I don't know what I am missing in this code. Cretad a project in VB & Copy/Paste this entire code under Public Sub MapAttributesForImport in ADPSWDNOEXPIRE.vb file. But it is giving me few errors like " String is class type & can not be used as Expression" "Long is a type & can not be used as Expression". '.'expected.

I am not very much comfortable with coding, so if anybody pls explain or smiplify it further will be of great help..

12 February, 2011 22:26


My code is writting in vb.net. The code Brad used is in c#. You'll have to determine what you are using right now and do the conversion.

First hit in google: http://www.harding.edu/fmccown/vbnet_csharp_comparison.html

08 April, 2011 07:48

Thanks for update.. I was busy with some other things so could not check this.

code part is now clear. But now Password never expire attribute is not there in AD MA. I think it is part of user account control attribute..

so how to advance impor flow for this in AD MA? Or we have to choose useraccount control attribute..?

10 April, 2011 22:02

Hey Anand,

I don't have a solution right now on the shelf. But as you are saying "password never exire" can be derived from the UserAccountControl attribute (check: How to use the UserAccountControl flags to manipulate user account properties).

It should be more or less equivalent to enabling/disabling an account. Which can be done using codeless rules from within the portal. or if you like using a rules extesion code project.

Good luck!
Kind regards,

14 April, 2011 13:10

Hello Thomas
Thanks for your reply. I figure out that useraccountcontrol attribute needs to be used.

Some how I am manged to complie this code. But now facing one issue while doing AD MA sync it is giving error

"Microsoft.MetadirectoryServices.EntryPointNotImplementedException: Error in the application.

at Mms_ManagementAgent_ADPwdDoesNotExpire.MAExtensionObject.Microsoft.MetadirectoryServices.IMASynchronization.MapAttributesForImport(String FlowRuleName, CSEntry csentry, MVEntry mventry)"

What will be the flow rule name which needs to be passed in import flow? right now I am giving it as GetUACBit:

Have you tried this in test bed? are you able to get desired output..?

Pls reply..thanks in advance..

08 May, 2011 17:24

In the example (this blogpost) I have a custom rules extension which is defined below the "case IAFUpdatePwdLastSet" statement.

In your MA you can create a new import flow, but you should select the "advanced" bullet. Then you'll be prompted to provide a text which determines your advanced rule. In the above example that would be "IAFUpdatePwdLastSet".

I really suggest you post your issues to http://social.technet.microsoft.com/Forums/en-US/ilm2/threads/ as there are a lot of skilled people present which are willing to help in a timeframe which is better than you are getting here...

01 August, 2013 18:10

This blog might help you, it addresses the topic of creating a generic email template for email notification activities


28 August, 2014 11:36

Not clear on point no.9.Create a rules extension (custom Import Attribute Flow) for the AD MA:
Can you provide detailed steps to complete this task.?

20 September, 2014 09:33

A bit late, sorry, but here's more detail: http://technet.microsoft.com/en-us/library/jj853089(v=ws.10).aspx

22 August, 2017 12:25

i have tried shared solution but workflow stuck with PostProcessing.

22 August, 2017 12:28

WorkflowInstance 'd5fcebda-1d97-41e8-a1eb-84890f860108' could not send mail message in activity 'authenticationGateActivity1'. Scheduling to retry in 6 hours.

System.Web.Services: System.Net.WebException: The request failed with HTTP status 404: Not Found.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.CreateItem(CreateItemType CreateItem1)
at Microsoft.ResourceManagement.Mail.ExchangeProxy.ExecuteCreateItem(CreateItemType request)
at Microsoft.ResourceManagement.Mail.ExchangeServer.SendNotification(NotificationMessage message)
at Microsoft.ResourceManagement.Mail.NotificationMessage.Send(Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.SendMailMessage(MessageContent messageContent, Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.ProcessWorkItem(WorkItem workItem)

22 August, 2017 16:36

Hey I'm sorry but it's been a while since I worked on this. I believe you might be getting better help over at the TechNet forums.

Add Your Comment