PWNotify Password Notification Service Driver

over 10 years ago
All-in-one IDM 2.x/3.x/4.x service driver for password notifications that can notify users, helpdesk and naudit on the following events:

  • up to three times before passwords actually expire (notification intervals and times are configurably)

  • after passwords expired, when grace logins fall below a configurable limit

  • when accounts get locked and passwords have to be reset by an administrator

  • on intruder lockout

All notifiction types and their targets (user, helpdesk and/or naudit) can be individually enabled/disabled. The notification schedule operates on an hourly or daily basis and is easily configured through GCVs.

Because IDM email templates are used, notifications can contain additional account data e.g. the time an intruder-locked account will be automatically unlocked again, or a company name for branding purposes. Email templates are maintained in iManager or Designer, making it easy to give them the same look and feel as the standard templates that come with IDM password synchronization.

New 06-22-2006: v1.1: This is a bugfixed and enhanced version. Now also

  • decodes intruder addresses (IP only) and

  • includes additional email templates and

  • a readme.txt (finally!).

New 07-05-2007: v2.0 for IDM 3.5:

  • trigger notifications from the subscriber channel (via policy or WorkOrder driver)

  • notify managers on direct report's upcoming account expiration

  • uses ldap search instead of XdsQueryProcessor: much more efficient, especially in large tree environments (thanks to a hint by Father Ramon)

New 08-07-2008: v2.0.3 for IDM 3.5:

  • now supports (and defaults to) secure ldap operations

  • notify managers/helpdesk about idle accounts (no login for xx days)

  • changed some GCVs and added more detailed comments on how to use them

New 08-31-2011: v2.1.1 for IDM 4.0:

  • packaged version for easy import and maintenance through Designer

  • removed dependency on bh-dirxmlutils.jar by porting bh_DecodeNetAddr and bh_b64ToHEX functions to ECMAscript

  • code modularization and streamlining

  • minor bug fixes

New 01-07-2013: v2.2:

  • Changed policy naming scheme to include linkage weight

  • Moved base filter to resource object

  • Added suppport for Edir2Edir shim (to enable support for IDM Bundled Editions, which do not include NULL/LBACK shims), default for new installations.

  • Added LDAP StartTLS support and LDAP tracing (through dependency on updated BH-BitsNPieces v1.0.3)

  • Upgraded prompt stylesheets to latest versions

  • Named LDAP Bind Password now takes precedence over bind user object's Distribution Password.

  • Read Distribution Password (if used) on every notification cycle instead of only once per driver start

  • minor bug fixes


home page url:
download urls:
IDM4.x: use package repo at

Driver Wiki:
Some tips by Geoffrey:
Changing time zone conversions:


How To-Best Practice
Comment List
  • Any suggestions on getting the P-ET-260-PWNotifyAcct (Check Accounts) only to return objects that meet a current time frame like 21 days. For some reason the policy returns all users that have a value for loginExpirationTime.
  • In the repository mentioned above.
  • Where can I get an uplocked version of the Password Notification base package? I'd like to add Full Name to the Reformat Notifications policy.
  • I was trying to make i own driver to catch all failed logins, en get the IntruderAddress correctly. As we are running at idm 4.0.2, i wanted to use the ECMA script. However, that one gave unreliable results. The first and last octets of the ip address were mostly, but not always! negated. So for example instead of 172 it gave 84, (256-172).
    So after trying to correct the script i finally implemented the bh-dirxmlutils.jar file, which gives reliable results.
    So if you want reliable ip addresses, use the JAR implementation.

    Thanks for your work anyway, Lothar!
  • Wondering how I would change the "Zero Grace Logins Remaining" to instead notify the user when the grace logins are down to another value instead of zero?

    We have 10 grace logins and I'd like to send an e-mail to the user when they are at 5 grace logins.

  • With the latest release of the Bundle, is it possible to add to the overall driver a Email template within the driver for say: Send email to: AccountAudit in addition to the the Helpdesk.
  • Yes, it can be used with the edir2edir shim which is included in BE. You need to set the shim manually, add the GUID attribute to the subscriber filter and something like "" as connection info in driver properties to make the driver startup properly and loop back.
    The latest version has all of the above included, but is packaged for IDM 4.x (which will be available in a Bundled Edition soon, as I hear). UNtil then you can of course use that package and export is from designer to XML to obtain a 3.6-compatible version (don't forget to export the dependencies, too!)
  • Can this free driver be used legally on IDM 3.6.1 Bundle Edition?
  • I sent all emails converted to English to Lothar so he could add them to the download... I modified some emails to include Links to PW home pages and Graphic images.

    Thank you for the driver code Lothar.

    I hope it helps,

  • Geoffrey's comment is spot on: as every company want's it's own cororate look and feel, all I could provide would be templates you'd have to edit anyway. Much work to do but not much to gain compared using to the German ones I already had.
    Anyway, with so many instances of the driver running worldwide now, I am still hoping that someone is willing to share his/her localized templates e.g. by adding them to (with a link to e.g. or sending me an email so I can add them to the download.
Related Discussions