Recent Changes - Search:


Synchronize Portal Guard Password Expiration To AD Expiration

Synchronize PortalGuard Password Expiration to AD Password Expiration

Tags: Security Password Rules SSPR

Problem Definition

What is the best practice for synchronizing the AD password expiration date from AD back to PortalGuard?


NOTE: PortalGuard version introduced new features that force PG to rely solely on Active Directory for computing users' password expiration. These new settings are easy to implement and require no on-going maintenance. They are the recommended way to achieve seamless password expiration behavior with AD. Please see the Password Expiration Recommendations section in Chapter 5 of the PortalGuard Admin Guide (hosted on for full details.

Enabling password synchronization between AD and PG is as easy as checking the “AD Password Expiration Sync” check box on the Native Windows tab of your user repository (as shown below).

However, there is more information that you will want to be aware of to make the most efficient use of this PortalGuard feature.

If users have never logged in through PG, then PG won’t have any expiration data for the user. It’s the login through PG that triggers PG to set the password expiration date in the user’s PG profile. PG does have a Batch Import utility that can be used to “enroll” users before they actually login themselves. User profiles are created during the Batch Import so PG will also calculate and save the ExpirationDate for the user at that time.


For user’s that already exist in PG but need to be “automatically” synched with AD, the PG Batch Import Utility can be used to establish password expiration synching. The steps include:

  1. Create a .csv file with all the users to enroll
  2. Run the .csv file through the PG_BatchImporter

These steps will help you satisfy step 1. Below is an AD PowerShell script that will dump out all users in AD with the following information:

  1. sAMAccountName
  2. Last logon timestamp
  3. Last password change timestamp
  4. If the password is set to never expire for the account

It will stream this into a file named “AD_user_expiry.csv” in the current working directory. Here’s the script:

Get-ADUser -filter * -properties samaccountname, lastlogondate, passwordlastset, passwordneverexpires | sort-object samaccountname | select-object samaccountname, lastlogondate, passwordlastset, passwordneverexpires | Export-csv -path AD_user_expiry.csv

Be sure to launch the AD Module for PowerShell otherwise the “Get-ADUser” cmdlet won’t be recognized:

The final CSV file that will be imported into PortalGuard only needs the username and “final”/computed expiration date which can be achieved by simply adding your AD password expiration interval (e.g. 90) to the “passwordlastset” column values. Besides using column headers of “Username,ExpirationDate”, the date value must be formatted as YYYY/MM/DD for PG to accept it.

Additional important knowledge/suggestions for the PG Password Expiration Synch with AD feature:

  1. For the PG password expiration date to always be up to date and accurate, you will need to continually run the Get-ADUser command to create the CSV, manipulate/scrub the CSV, then batch import it.
  2. The PG ExpirationDate field can get set in the following ways:
  3. When the user attempts to login through the PG website (requires the Native Windows –> Sync Active Directory Password Expiration setting to be enabled)
  4. When the PG user profile is first created. This could be via batch importer or a login to the PG website. The expiration interval in the PG Security Policy minus any defined grace period is used as the initial ExpirationDate. This could be immediately overwritten by the current batch importer run if it defines the ExpirationDate column as described in #1 above.
  5. When the user updates their password through the PortalGuard website.
  6. When the AD password is changed via Ctrl-Alt-Del on the Windows workstation and the PG Desktop client is installed.
Page last modified on June 16, 2017, at 10:58 AM