I was recently searching on Google about Active Directory security group expiration (because GroupID does that and I wanted to make sure Google knows that we do it) and came across an interesting post on the petri.il forums. This post details a script that will give a list of user accounts that have a password set to expire, with one caveat, the poster only wants accounts that are in a certain security group.
GroupID Automate already has a cool feature called a password expiry group. This feature is deceptively simple, we create a dynamic group (distribution group or mail enabled security group) whose members have a password set to expire within X number of days. We then trigger a notifcation email to the members of that group reminding them to change their password. As soon as they change their password, they are no longer in that Active Directory group and stop getting the email.
After reading the post on Petri, I realized that since we are creating a dynamic group anyway, why not add a layer of dynamicism (or smartness if you will) and add a condition that the user needs to be a member of a certain security group (MemberOf attribute). Unfortunately, MemberOf houses the distinguished name of the Active Directory group and not the common name so the query needs to match the DN, but that isn’t such a hard thing to do.
There are a lot of great uses for this particular feature when you don’t want to harass all users to change their passwords (Windows sometimes does enough of that for you). For example, accounts that aren’t used too often, you can query members of certain admin groups that maybe don’t log on to that account as often as their user account. You can query members of the sales group only since sales people are the sorts that ignore password warnings (as a sales guy I am guilty as charged).
If this is a use case you are looking for (to actually notify users in certain groups, not just create a report), we can arrange for a dmeonstration of how to make it work with GroupID.