Monday, June 11, 2012

Active Directory Password Expiration Email Notification

This is a PowerShell script that will send an email notification to Active Directory users when their password will expire in 14, 7, 3, 1, and Zero days. Administrators/helpdesk also get a daily report of passwords that are expired and the users who got an email reminder, a great heads up for your helpdesk.

The script generates a different message when there are zero days remaining (password is expired and must be changed today) and won't continue to notify users when there are less than zero days remaining. Negitive dedlines are used for some account options such as the passwords must be changed at next logon account flag, and you don't want to fill up a user's mailbox when they can't access their mail before changing their password anyway.

To setup the script, search for the "# CONFIG:" strings and edit the following line as documented, then set it up on a server as a daily scheduled task.

Active Directory Password Expiration Email Notification Script
Import-Module ActiveDirectory

$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"

(Get-ADUser -filter {(mail -like "*@domain.com") -and (Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet |
foreach-object {

    $lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
    $expires=$lastset.AddDays($maxdays).ToShortDateString()
    $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
    $samname=$_.samaccountname
    $firstname=$_.GivenName
    if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
    #if ($daystoexpire -le 14) {
        $ThereAreExpiring=$true
        
         # CONFIG: Enter from email address.
        $emailFrom = "helpdesk@domain.com"
        # CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
        $emailTo = "$samname@domain.com"
        if ($daystoexpire -eq 0) {
        # CONFIG: Enter text for subject and body of email notification for zero days remaining.
            $subject = "$firstname, your password has expried!"
            $body = "$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.

Contact support at extension XXXX for assistance."
        }
        Else {
        # CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining. 
            $subject = "$firstname, your password expires in $daystoexpire day(s)!"
            $body = "$firstname,
Your password expires in $daystoexpire day(s).

If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.

If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.
"
        }
        # CONFIG: Enter your smtp server here.
        $smtpServer = "email.domain.com"
        $smtp = new-object Net.Mail.SmtpClient($smtpServer)
        $smtp.Send($emailFrom, $emailTo, $subject, $body)   
       
        $summarybody += "$samname `t $expires `t $daystoexpire `n"
    }
    elseif ($daystoexpire -lt 0) {
        $ThereAreExpiring=$true
        # Add a note to the report email, but don't notify user.
        $summarybody += "$samname `t $expires `t $daystoexpire `n"
    }
}
if ($ThereAreExpiring) {
    # CONFIG: From address for report to Helpdesk/IT Admin staff.
    $emailFrom = "helpdesk@domain.com"
    # CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
    $emailTo = "helpdesk@domain.com"
    # CONFIG: Subject for report email.
    $subject = "Expiring passwords"
    $body = $summarybody
    # CONFIG: SMTP Server.
    $smtpServer = "email.domain.com"
    $smtp = new-object Net.Mail.SmtpClient($smtpServer)
    $smtp.Send($emailFrom, $emailTo, $subject, $body)
}



10 comments:

JonE B said...

Great PS Script!!! I had no trouble implementing it, but How would I add an attachment to this script. I want to send out a PDF with this email message.

Thanks!!

Andrew Zbikowski said...

I'm still a PowerShell novice myself. This looks promising: http://www.techrepublic.com/blog/window-on-windows/send-an-email-with-an-attachment-using-powershell/4969

Austonio said...

Nice, but can the admin report be changed to a html format? This was the email report is easier to read in columns etc?

Ioan Damian said...

A sort of formatting can be obtained like this:
$formatString="|{0,-40}|{1,-25}|{2,-19}|{3,11}|{4,9}|

$summarybody+=$formatString -f "Display Name", "Account", "Last Set", "Expire Date", "Days Left"

Details here: https://devcentral.f5.com/blogs/us/powershell-abcs-f-is-for-format-operator
and here:
http://ofps.oreilly.com/titles/9781449320683/strings_and_unstructured_text.html

Alex Leibowitz said...

What version of Powershell is this? What is the command to leave out users with "must change password at next logon checked"? Also how long should this take to run with about 250 users?

Ioan Damian said...

Open a powershell and import the active directory module:
import-module ActiveDirectory

To see all attributes that you can use try:
get-aduser -identity -Properties *

Raghuramji said...

Its really a nice powershell script. For those who want to use a nice GUI tool for this, you can use JiJi Password & Account Expiration Notification Tool. You can find the detail here www.jijitechnologies.com/jiji-password-expiration-notification.aspx

Jean-Francois Cyr said...

Hi,

Sorry English is my third language... Sorry for the following mess...

Here is my 3 questions

1. Do I need to change de @domain.com form my domain name in this row (Get-ADUser -filter {(mail -like "*@domain.com")


2. On wich server I need to server I need to run this script.

and finaly

3. How can I revert this script

Regard's

Jack

Jean-Francois Cyr said...

Please let me know
Regard's

michel jon said...

Excellent, it helps to get notification for expiring password reminders emailed to users but I found this automate tool (http://www.lepide.com/user-password-expiration-reminder/) which automatically reminds users to change their passwords before the expire passwords.