Exchange Exchange
A community dedicated to Exchange and related technology.
Brendan Keane's Exchange Blog » SysOp Tools: Password Reminder Pro
SysOp Tools: Password Reminder Pro

Have you ever wondered how many users in your environment have password that are about to expire?  Wouldn’t it be nice if you could have an automated report sent to your inbox about user account activity?  Can you help reduce the number of calls to the help desk or remind users that they only have so many days to change their password?  Expiring password for road warriors, remote office and SOHO users is a problem that all IT organizations face.  SysOp Tools has released a product to help alleviate this problem.  Enter Password Reminder Pro.

This tool is one of three from SysOp Tools and at this time is their oldest product.  Alpha’d in September 2006 this product has quickly moved through the beta testers and into production. 

Setup

Product setup could not be any simpler.  One of the best things I like about the setup requirements is that this program does not have to run on a server.  This is particularly useful in smaller environments where servers are not always plenty, and more administration type tools are run from the desktop.  In larger corporations, it may be necessary for this to run on server class hardware especially if help desk, LAN administrators, and security auditors use the reporting data.

Listed below are the installation requirements:

Installation and use of Password Reminder PRO requires the following:
- Software can be run under Microsoft Windows 2000, XP, Server 2000 or Server 2003
- Exported Reporting Console data requires Excel 2003 or later, or other xml-capable spreadsheet program
- Microsoft Windows Active Directory 2000 or 2003 Domain Containing User Account Objects
- Microsoft .NET Framework v1.1 and SP1 Must Be Installed Prior to Running Password Reminder PRO
- Available internal SMTP Mail-Host Relay (We Recommend Microsoft Exchange)
- Mail-enabled Domain User Accounts (AD User Account That Has a Functioning Email Address)
- Established Domain User Account Password Expiration Policy at the Domain Root Level
- Admin and Test Consoles Must be Run Under Context of Logged On User With At Least Read Access to AD and LDAP
- Reminder Service Must be Run Under a Domain Service Account With Access to AD and LDAP
- Valid Password Reminder PRO License Key for your specific Active Directory domain that hosts your user accounts
- Microsoft IIS and SMTP services are NOT REQUIRED to run Password Reminder PRO!

Installation is a breeze and only takes a few minutes and uses the standard InstallShield Wizard.  Once the install is complete, open the service control manager, look for the Password Reminder Pro service and open its properties.  According to the setup documentation, “Specify a domain account that has rights to read from your Domain Controllers’ AD and LDAP. If you are not sure, use an account that is part of the Domain Administrators AD group. Make sure the account has been granted domain rights to ‘Log on as a Service’”.  I would have to disagree with the above listed statement.  Unless the AD objects have had their read attributes restricted, any account should be able to provide the necessary service.  However as a best practice a service account should be created to perform this task.  It will need the right to log on as a service, but should be denied any other logon  attributes.  Post SetupNow that we have the software installed, we need to fire is up and see what it does.  There will be a Password Reminder Pro application shortcut on your desktop.  Double click that and the application will open. 

 

This is the main screen for the application.  Do not be fooled be its simplistic nature.  The beauty of this is that it is simple and quick to configure.  The Admin Mailbox Address is the name, mail enabled distribution list, or to your mail enabled public folder.  The three sections for messages refer to the actual message that the end users will see.  The messages that you configure here are what will end up in every users’ inbox.  The default message is pretty simple and will work for some organizations.  The PW Expiration needs to be set to the password policy set in AD at the domain level.  If this value does not correspond to what is in AD, the reports and emails sent to users will be incorrect. 

 

Licensing

The software needs a unique license in order to run.  Each license key is tied to a specific domain.  Licensing is also tied to the number of users  objects that have expiring passwords in the domain. One of the report functions show how many licensed vs. unlicensed users.  There is also a standalone application that will tell you how many users are licensed.   Below are some questions I sent to my contact at SysOp.

Q::How will this work in a multidomain environment?  If I have users in foo.bar and in more.foo.bar  and the product is installed in foo.bar, will it be able to send password reminders to the child domains?

A:: Good questions- We have some of this covered in the online help guide: PRP works with the root domain password change policy set in AD for each domain or sub domain. Presently, PRP can only work with one root domain password change policy at a time since each domain and sub domain have their own root policies set, and the license key used in PRP is generated for and locked to the specific domain name or sub domain name.You would therefore need to install one instance of PRP in each domain or sub domain that contains user account objects that you would like to send expiring password reminders to, and have a valid license key for each domain / sub domain. As far as licensing goes, if you have your users spread between the root domain foo.com and a couple of sub domains (east.foo.com and west.foo.com), we would only need to know the number of password expiring user accounts for each domain / sub domain, and we would issue you 1 license key for each of these three LDAP domains. You could set the daily admin summary email for all thee instances of PRP to be delivered to the same admin mailbox. 

 

Q:: If I have an empty root forest but have multiple populated child domains, do you install it (PRP) in the root, or in each child domain?  

 

A:: PRP must be installed in the specific domain (foo.com) or sub domain (users.foo.com) that contains your user account objects. 

 

Q:: Is there a way/plan for this to work with trusts?  I work in a managed service provider where some of the clients have a one way trust with us so we can manage their domains.  It would be easier for a MSP to have this installed in their AD and be able to point it to additional AD's as needed.  A:: Yes, this will work with Trusts- In this situation you would install PRP in the trusting / managed domain and set PRP in accordance with their domain root change password policy. I see your point from a MSP / ASP perspective with installing all instances of PRP in one AD and pointing individual password reminder instances to each managed domain and separate root domain's password change policy. At this point it is not possible to use PRP in this manner and will take some serious work to try and make this happen, due again to the individual nature of each domain's root policy settings. 

Reports

Everyone loves reports.  The reports that ship with the product are solid.  Within the application you can see Licensed Users, New/Unused Accounts, Expiring Passwords, Inactive Users, Unlicensed Users, Miscellaneous & Disabled accounts.  These reports can also be exported to Excel for additional manipulation. 

 

The password application log is also sent to the administrator every day so the admin knows who is going to call them in the morning about expired passwords.  For a help desk manager or even the security administrator, the reporting functions help ease the administration of user accounts. 

  Email 

Not all users are excited to change their passwords.  Most wait till the last day before the password expires.  More often than not, they will tell you that they just changed it, or that no one told them their password was going to expire.  Fear not.  Password Reminder Pro will email users to reminder them up to 3 times that their password is going to expire.  The body of the email is completely customizable so instructions on how to perform a password change, or the number to the help desk can be added in order to improve the end user experience.  Personally I think that this is a great feature.  Not everyone pays attention to when their password are going to expire, and road warriors typically do not want to spend the energy to remember such thing.

 

  

Summary

I think it is a good product that fills a particular niche.  The features that this application offers is valuable compared to the minimal amount of hardware, configuration and training that would need to be done.  Other products on the market that provide the same type of service are rolled into an enterprise wide compliance or monitoring solution and that is too much software for too little return.  I wouldn’t be surprised if Microsoft did not try to buy this or to come up with something similar and incorporate it into a R2 release or a Systems Center report pack.  If user management, auditing, or help desk are one of your areas of responsibility, you should definitely give this product a shot.

A few notes from the Password Reminder PRO staff:

  • Scalability: Presently, Password Reminder PRO has the only reminder engine capable of sending safe (no false alerts or spam) and reliable expiring password reminders regardless of AD setup or mail system used, and can function reliably in directories of over 20,000+ password expiring AD user objects. 
  • Mail-friendly: Our reminder email engine is 100% RFC compliant, mail-server friendly and will not overload your mail server's queue with reminder emails.
  • Text or HTML: In addition, for organizations that do not support HTML email (Government, etc), our software has an advanced feature that allows you to send the expiration reminder emails in plain-text mime-type. And, the  text-mode reminder emails sent to users still retain their dynamic fields for user’s name and number of days remaining!  
  • Ease-of-use: Password Reminder PRO is a set-it-and-forget-it program that any admin regardless of technical expertise can operate and maintain. We've done all the heavy lifting for you. 
  • Cost: With all of the wonderful features and reliability built in to Password Reminder PRO, we've tried very hard to maintain a low price point and keep ROI very high. Most Enterprise Software suites run in the range of $6 - to $8 per user, plus a base software fee. The cost breakdown of Password Reminder PRO is a base software fee plus about $1 per user. We cap our licensing at 2500 users for a single domain, which further reduces the cost-per-user substantially for very large organizations.

Learn more about SysOp Tool Password Reminder PRO at http://www.sysoptools.com/

 

Posted Sun, Jul 29 2007 9:33 PM by bkeane
Filed under: , ,
Attachment: pic4.JPG
© 2003-2009 NamedPipes Consulting. All other company and product names are property of their owners.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems