The nFront Password Expiration service allows you to have a different maximum password age for each different nFront Password Policy. Most customers have 2 or 3 different password policies. Often, there is a password policy for privileged users that is more restrictive and given a longer maximum password age.
The nFront Password Expiration service is optional and needed only if you plan to enforce different maximum password ages or if you are using the length-based password age settings. The service should be installed on a single DC. If you want fault tolerance, you can install on a second domain controller and leave the service in a manual startup mode.
The service can email end-users prior to their password expiration. The default is 14 days and the default email is an HTML email. You can choose between plain text email or HTML. Both emails are in the windows\system32 folder on the machine running the service and can be easily customized. Most customers customize the HTML version becuase they have trained users to spot phishing emails and they want this email to have the same styling as other internal emails. If it important to note that if you customize the HTML email, please do not use editors like Microsoft Word. It adds a ton of extra HTML syntax and can cause problems processing the email. It is best to keep it simple and be sure all references to images are using URLs that can be accessed internally and externally.
The service can offer some reporting to show users with upcoming password expirations and others that were expired during the most recent run. Most cusotmers have the service run once per do and use the script we provide in the documentation to run the service at a specific time (like around 4 or 5 AM after backups have completed and users are about to get a start on their day).