In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to detect and notify administrators when the Password Never Expires setting is enabled for any Active Directory user account. Monitoring this change is critical for enforcing password expiration policies, reducing account compromise risks, and maintaining compliance with organizational security standards.

Prerequisites  

• You must have access to the ADAudit Plus web console.

• Use an administrator account or a technician account with delegated rights to create or modify alert profiles.

• All relevant domain controllers must:

• Be added and configured in ADAudit Plus.

• Be actively sending security event logs without errors.

• Have real-time log fetching enabled to detect changes immediately.

• Enable the following audit policy on all domain controllers via Group Policy:

• Advanced Audit Policy Configuration > Account Management > Audit User Account Management.

• Apply System Access Control List (SACL) auditing on user objects to track attribute-level changes.

• If email alerts are required, configure SMTP settings under:

• Admin > General Settings > Server Settings in ADAudit Plus.

Steps to follow

1. Open the ADAudit Plus web console in a supported browser.

2. Log in using an account with either administrator privileges or a technician account that has permissions to manage alert profiles.

3. Navigate to Alerts from the top menu.

4. Click New Alert Profile located in the top-right corner.

5. Enter a relevant Alert Name and Description (e.g., Alert – Password Never Expires Enabled).

6. Set the Severity level based on the importance of the action being monitored.

7. Click the + icon next to Report Profiles.

8. Under Domain, select the on-premises domain.

9. Select Modified Users as the report profile.

10. You can tailor the Alert Message to suit your specific requirements.

11. In the Advanced Configuration section, enable the Filter check box.

12. Add the following condition:

1. Attribute: User Account Control

2. Operator: CONTAINS

3. Value: Don't Expire Password - Enabled

13. In the Alert Actions section, select the E-mail Notification check box.

14. Enter the recipient email addresses where the alert should be delivered.

15. Provide a clear and relevant subject line for the email notification.

16. Select the preferred format for the alert email, either HTML or Plain Text.

17. Select the details you would like to include in the email, such as:

1. Alert Message

2. Alert Profile Name

3. Event Details

18. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

19. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), select the SMS Notifications check box for real-time updates.

20. Select the Execute Script check box to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

21. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), select the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also enable the Throttle Ticket Generation check box to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

22. Click Save to activate the alert profile.

Validation and confirmation  

• Perform a test change.

• Go to Alerts and expand the on-premises domain under Profile based alerts.

• Choose the alert profile that was created and View Alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified address.

Best practices  

• Monitor only critical user accounts:

• Domain admins

• Service accounts

• Configure the alert to trigger only during non-nusiness hours if your goal is to catch suspicious or unauthorized modifications.

• Forward alerts to a SIEM or ITSM tool for centralized monitoring and workflow integration.

Related topics and articles  

• How to configure an alert to notify when a password is set for a user