Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

4.6 Star
46,968 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Email Log
    5 Posts | Last post Tue 7:13 PM
    • Is it possible to enable testing and logging, then send just the log to the test recipient address?  I'd like to give heads up to techs on passwords that are expiring within 0-1 days.
    • Nevermind.  Had to dig deep into this Q&A.  Found that I had to add another send-mailmessage line with the attachment specified.  
    • I found the Q&A portion of the Q&A that you mentioned; but not sure how to implement it. I'm not that good with scripting. If you can tell me which line(s) you modified; it would get greatly appreciated.
    • You would need to add a new line to include -attachments $logfile at the end of the script.
      If you only want the log file and no notifications,
      On version 2.3 find line 191 (send-mailmessage...) enter a # at the begining of this line to comment it out. (disable it)
      next go to line 229 and add
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $testRecipient -subject $subject -body "Password Change Log Attached" -priority High -Encoding $textEncoding -ErrorAction -attachments $logFile
    • I wanted to have the email notifications sent to the users and have the log file emailed to myself so I'm aware of users that have password expirations coming up.
  • Password Expiration Notification is not sent to users
    1 Posts | Last post Tue 11:48 AM
    • Hi Robert,
      The script worked perfectly with the variable $ Testing = "Enabled". I received all emails.
      When the test is disabled, Password Expiration Notification is not sent to users.
      # Variables
      $ SmtpServer = "My Server"
      $ ExpireInDays = 15
      $ From = "Email"
      $ Logging = "Enabled"
      $ LogFile = "Path"
      $ Testing = "Disabled"
      $ TestRecipient = ""
      In the log the following message appears:
      Can not validate argument on parameter 'To'. The argument is null or empty. Provide an argument that is not null or empty; And then try the command again.
      The following error appears in the Windows PowerShell console:
      Can not convert the "Enabled" value of type "System.String" to type "System.Management.Automation.SwitchParameter".
      At PasswordChangeNotification.ps1: 28 char: 1
      + Param (
      + ~~~~~~
           + CategoryInfo: InvalidArgument: (:) [], RuntimeException
           + FullyQualifiedErrorId: ConvertToFinalInvalidCastException
      NOTE: In test mode it works perfectly
      My System:
      - Windows PowerShell Version 4.0
      - Windows Server 2012
  • How do I add images/attachments in V2 script
    2 Posts | Last post Fri 1:17 PM
    • Hi Love the script really useful, many thanks. 
      I am struggling to include an locally stored image in the email, the error I see is :"the linked image cannot be displayed. The file may have been moved, renamed or deleted. Verify that the link points to the correct file and location." I am not sure if I should use an $image variable or an attachment?
    • You're welcome!
      You can name the image inside $body, like image.jpg, then include -attachments image.jpg on the Send-MailMessage line.
      You can use the information here, which is still valid.
  • Error while sending notify email
    2 Posts | Last post Fri 1:16 PM
    • I changed EmailAddress to UserPricipalName attribute as below:
      Line 85: $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, UserPrincipalName | where { $_.passwordexpired -eq $false }
      Line 99: $emailaddress = $user.UserPrincipalName
      Line 149: $emailAddress = $user.UserPrincipalName
      After ran, I got this error on log file "Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again."
      Please help me how to change from EmailAddress to UserPrincipalName attribute on this script
    • What does the log show?
      If you run in verbose mode does it show valid email addresses for the recipients?
  • Password expiry notification countdown
    6 Posts | Last post March 13, 2017
    • Hi Robert,
      I have set the notification for 7 days in script. However till 2 days notification is working fine after that for 1 day also it is showing today.
      Can we have the notification like below.
      Your Password will expire in 2 days
      Your Password will expire in 1 day
      Your Password will expire in today
    • You could try something like this, at line 154.
          if (($daysToExpire) -lt "1")
              $messageDays = "today!"
          if (($daysToExpire) -eq "1")
              $messageDays = "tomorrow."
          if (($daysToExpire) -eq "2")
              $messageDays = "in " + "two days."
          if (($daysToExpire) -ge "3")
              $messageDays = "in " + "$daystoexpire" + " days."
    •  if (($daysToExpire) -eq "1")
              $messageDays = "tomorrow."
      I am not able to understand this condition. If $daystoexpire -eq 1 it will show tomorrow.
      Please help me on the same
    • Replace that line with my example above.
      if $daysToExpire is less than 1, it will show $messageDays as "today!"
      if $daysToExpire is exactly 1, it will show $messageDays as "tomorrow."
      if $daysToExpire is exactly 2, it will show $messageDays as "in two days."
      if $daysToExpire is 3 or more, it will show $messageDays as "in $daystoexpire days."
    • Hi Robert
      I have added the loop as shown above
      Now for 3days and greater it is showing "Your Password will expire in 2 days"
      I have commented the existing one, and added the above loop
      foreach ($user in $notifyUsers)
          # Email Address
          $samAccountName = $user.UserName
          $emailAddress = $user.EmailAddress
          # Set Greeting Message
          $name = $user.Name
          $daysToExpire = $user.DaysToExpire
          $messageDays = "today."
          #if (($daysToExpire) -gt "1")
           #   $messageDays = "in " + "$daystoexpire" + " days."
       if (($daysToExpire) -lt "1")
      $messageDays = "today!"
      if (($daysToExpire) -eq "1")
      $messageDays = "tomorrow."
      if (($daysToExpire) -eq "2")
      $messageDays = "in " + "2 days."
      if (($daysToExpire) -ge "3")
      $messageDays = "in " + "$daystoexpire" + " days."
      Please check and advice
    • I have calculated the days and hours. for 7 days and 14 hours it is showing as 7 days.
      Due to that it is rounding off.
      for two consecutive days it is showing "Your password expire in two days"
  • Skip accounts where Lastlogondate is blank.
    2 Posts | Last post March 07, 2017
    • hey Robert,
      I'm hoping that there is a way for me to have the script to not email users who have a lastlogondate of blank. I have a lot of users that have accounts, but don't log into them, and won't like to avoid sending emails to unused accounts.
      thanks for your time!
    • Sure, add to line 85 to include the LastLogonDate Property, and then at the very end of the line we can use | where to remove those with an empty value.
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress, LastLogonDate | where { $_.passwordexpired -eq $false } | where { $_.LastLogonDate -ne $null }
  • invalid enumeration context error
    2 Posts | Last post March 06, 2017
    • Hi All, 
      I am getting following errors while running this script. Is it due to large number of user objects in AD? Is there any remedy for it?
      Get-ADUser : The server has returned the following error: invalid enumeration context.
      At D:\Password-Change-Notification-PS1\Password_Change_Notification.ps1:10 char:20
      + $users = get-aduser <<<<  -filter * -properties * -searchbase "OU=Standard,OU=Users,OU=IN,DC=internal,DC=vodafone,DC=
      com" |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $fa
      lse }
          + CategoryInfo          : NotSpecified: (:) [Get-ADUser], ADException
          + FullyQualifiedErrorId : The server has returned the following error: invalid enumeration context.,Microsoft.Acti
    • How many users in the environment?
  • Using Given Name (First Name) in the email
    3 Posts | Last post March 06, 2017
    • Hi Robert,
      I seen in an earlier question that you would add in a line
      $greeting = $user.GivenName
      I tried this but it just comes out blank, how do I get the users First Name only to appear in the email next to Dear?
    • add GivenName on line 85, after -properties
      in lines 96 and below, add line :  $GivenName = $user.GivenName
      then add line below 134 : $userObj | Add-Member -Type NoteProperty -Name GivenName -Value $GivenName
      after # Set Greeting Message add : $GivenName = $user.GivenName
      Dear $GivenName
    • Hi draymond_it,
      Thanks that worked a treat.
  • $logging = "Enabled" query
    4 Posts | Last post March 04, 2017
    • Hi Robert
      $logging = "Enabled"  
      In earlier script there is an option to enable and disable logging. If we disable then it use to send mail to users.
      In new script, I am not able to find the option. Kindly help me to find the same. Thanks!!
    • That was $testing I think ?
      You can either use -testing or not when running the script to switch between test mode.
    • Thanks Robert. Actually the answer was there in synopsis it was my bad.
    • I have different question now
      I tested the script it is running fine. However it is showing "Your Password will expire in 2 days." after this it is directly showing as today though there is two days remaining
  • Target Users in Security Group
    2 Posts | Last post March 04, 2017
    • Great Script, Does the job very efficiently, just a quick one, how do I target users belongs to a specific security group rather that OU? 
    • Got it, Answer to my Own Question
      Thanks again.
1 - 10 of 245 Items