Request for Guidelines: Active Directory Password Expiration Notifications

xTachix · September 24, 2025, 11:52am

hello,

I’d like to ask if there are any manuals or guidelines available in n8n for setting up notifications related to Active Directory password expiration. Specifically, I’m looking for a way to notify users when their passwords are about to expire or have already expired.

Is there any existing workflow, documentation, or best practice that can guide me in implementing this?

Thanks in advance for your help!

krisn0x · September 24, 2025, 3:40pm

Hey! I second there isn’t any specific template or anything step-by-step, but the general setup is something like this:

Schedule Trigger: run daily.
LDAP node: Search for enabled users; select attributes msDS-UserPasswordExpiryTimeComputed, pwdLastSet, userAccountControl; optionally read maxPwdAge from the domain object.
Code node: compute days remaining and filter expiring/expired users
Send Email node: personalized notices to each user

And here’s a quick run through LDAP AD vs Azure AD (note: general guide, haven’t tested myself):

On-prem AD

Use n8n’s LDAP node to read either msDS-UserPasswordExpiryTimeComputed (direct expiry timestamp) or compute expiry from pwdLastSet plus the domain’s maxPwdAge.
msDS‑UserPasswordExpiryTimeComputed is constructed (not stored) and can return “never expires” when appropriate flags are set; query a domain controller (not the Global Catalog) to retrieve it reliably.
If msDS‑UserPasswordExpiryTimeComputed isn’t available, compute expiration: expiry = pwdLastSet + Effective/MaximumPasswordAge, using maxPwdAge from the domain root; both pwdLastSet and maxPwdAge are standard AD attributes.
Schedule the workflow with Schedule Trigger and send notifications with Send Email (or another channel) after filtering users whose expiration is within N days.

Entra ID (Azure AD) via Microsoft Graph

Graph exposes lastPasswordChangeDateTime for users; the API does not return a direct “expiry date,” so compute expiration from lastPasswordChangeDateTime plus the tenant’s password-expiration policy.
Exclude users set to never expire by checking PasswordPolicies for DisablePasswordExpiration.
Organizational password-expiration settings are managed via legacy MSOnline cmdlets or indirectly through Graph/domain data; there is no single Graph endpoint that returns a computed expiry date per user.
Implement in n8n with an HTTP Request node using OAuth2 to call Microsoft Graph and select userPrincipalName, passwordPolicies, and lastPasswordChangeDateTime; then compute days remaining and notify via email.

Hope this helps

xTachix · September 25, 2025, 12:19pm

@krisn0x thank you so much. I will try this…

krisn0x · September 25, 2025, 1:17pm

No worries, feel free to mark it as Solution if it helps for now

system · October 2, 2025, 1:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.