Nadja,
I don't believe PAM has any native way to accomplish this. However if your comfortable applications/scripts, it shouldn't be too difficult to use our API to retrieve a list of users and then send emails to those whose accounts are nearing expiration.
You may also consider increasing the number of days before it disables the accounts to something more reasonable for your users than 30 days if allowed. If PAM is authenticating against AD, you could make a case to not disable PAM accounts at all, since PAM access would be restricted if the AD account was suspended for inactivity.
Finally, while it doesn't exactly match your objective, you can enable the
"Forced Deactivation Alert" to have notification sent to one of your admins whenever an account is suspended. This person could then notify users that their accounts had been suspended so they can address the situation immediately rather than being caught off guard in an emergency incident situation.
Original Message:
Sent: 09-03-2019 12:09 PM
From: Nadja Kickinger
Subject: Alert user before being disabled due to inactivity
Hello,
We need a way to alert an user that he/she becomes disabled due to inactivity soon, so that the user can - if needed - log in to reset the 30 day counter. Is there a way to implement this? We had several occasions that users who are using PAM not often, need to assist with an emergency incident (e.g. during nights or weekends) and then realize the PAM account is disabled.
Thanks for your input.
Regards,
Nadja