Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(132)
56,924 times
Add to favorites
Active Directory
11/3/2017
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Not working on W2016.
    11 Posts | Last post Tue 9:13 AM
    • Script does not appear to work properly on a W2016 server.
      
      I had to add the '-SearchBase' to the Get-ADUser command to parse the correct OU, but it does not produce any known results. Two user accounts in the OU are know to be within the expiring parameter. The execution of scripts is enabled in PowerShell.
      
      When run on a W2008R2 on the same domain, it does produce results.
      
      Thank you,
      
      
    • Works perfectly well for me on 2016.
      
      Please confirm you get results using any of these commands.
      
      $users = get-aduser -filter *
      
      $users = get-aduser -filter {(Enabled -eq $true)}
      
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)}
      
      
    • I get the following results on a W2008R2 server.
      
      Working
      $users = get-aduser -filter *
      
      Working
      $users = get-aduser -filter {(Enabled -eq $true)}
      
      Working
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)}
      
      Working, produces the know user accounts.
      $users = get-aduser -searchbase "OU=MyUsers,OU=MyOU,DC=MyDomain,DC=MyRoot" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
      
      
      These are the results for the W2016 server. Notice that the line from the PowerShell produces no results even though it does correctly on the W2008R2. I've replaced the 'OU' and 'DC' with generic terms.
      
      Working
      $users = get-aduser -filter *
      
      Working
      $users = get-aduser -filter {(Enabled -eq $true)}
      
      Working
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)}
      
      Not working, produces no results.
      $users = get-aduser -searchbase "OU=MyUsers,OU=MyOU,DC=MyDomain,DC=MyRoot" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
      
      Note, the W2016 server is the primary with the FSMO. The W2008R2 is the secondary DC.
    • All examples you posted work on my 2016 Server.
      
      Even works via powershell remoting to a server 16 core dc.
    • I've confirmed that it does work on other W2016 servers, just not this one. Any ideas as to what might cause the issue?
      
      
    • are they in the same environment?
      
      Does this work?
      $users = get-aduser -searchbase "OU=MyUsers,OU=MyOU,DC=MyDomain,DC=MyRoot" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress
      
      If it is just the " | where " that is failing, then, i would expect it to be because the accounts are all expired passwords, however the fact it works on the 2008R2 is suggesting that is not the case.
      
      
      
      
    • No they are not in the same environment. The working W2016 is a brand new build. The non-working W2016 was an upgrade from a W2008R2.
      
      The script you supplied does run and produce results. I can confirm that it appears to be failing on the 'Where' clause.
      
      Thanks,
    • Do other queries also fail on where clause?
      
      get-wmiobject win32_Product | where { $_.Vendor -eq "Microsoft Corporation" }
    • That script does return results with the 'Where' clause.
      
      I checked the details I have been able to determine that the 'PasswordNeverExpires' and the 'PasswordExpired' attributes are not being returned in the results. The 'Name', 'PasswordLastSet', and the 'EmailAddress' are returned.
      
    • Do those attributes return ok on the 2008r2?
    • Hello guys,
      
      @Isquez : Can you test this line, it's work for me
      $users = get-aduser -SearchBase "OU=MyUsers,OU=MyOU,DC=MyDomain,DC=MyRoot" -Server "MyDomain.local" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
  • Script Works Perfectly
    2 Posts | Last post January 10, 2018
    • Script work Prefectly but it send email to support email 
      
      I am not a script guy help to disable testing and send email to users
      
    • Simply omit the -testing parameter.
  • O365 smtp support
    2 Posts | Last post January 05, 2018
    • HI!
      
      O365 smtp use port 587 and ssl enryption.
      Could you make this settings are be optional?
      
      Best Regardsm
    • You're better off setting up a local relay service for that. see: https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4
  • No email sent, ever, when adding -interval
    5 Posts | Last post January 03, 2018
    • When I use the -interval, no email is sent and  "Skipped - Interval" is added to the logs for all users that has 15 days and less, several have 2 days left, so they should'nt be skipped.
      
      
      
      here's my line in the batch file:
      powershell.exe -executionpolicy remotesigned -file C:\pwnotification\PasswordChangeNotification.ps1 -smtpServer smtp.domain.com -expireInDays 15 -from "IT <support@domain.com>"  -Logging -logPath "c:\pwnotification" -reportto me@domain.com -interval 1,2,5,10,15
      
      
      is my command ok ? If I remove the -interval option, emails are sent.  
    • And If I'm executing it directly in Powershell, it's works. Looks like it does not like the comma somehow...when I execute it from a batch file.
    • I manage to make it worked by hardcoding the intervals in the powershell script
    • This might help, https://www.youtube.com/watch?v=3ia-cJbf5Ng
    • try below syntax
      
      powershell.exe ... -command "C:\........ -from 'IT <support@domain.com>'  ..... 'c:\pwnotification' ..... 5,10,15" - double quotes outside then single quotes inside
  • # of users processed is different on a DC versus member server
    3 Posts | Last post December 29, 2017
    • Signed on to a domain controller as domain administrator1, the number of users processed = 12
      
      Signed on to a member server as admin administrator1, the number of users processed = 204
      
      Both servers are Windows Server 2012 R2 Standard and signed on with the same user.  The only difference is that the servers are in different OUs (GPOs).  Is there a specific GPO setting that needs to be enabled?  Is it a bad idea to run the on a DC?
      
    • Never seen that before.
    • Apparently there is a delay of up to 14 days for some of the ad user expiration attributes to replicate between DC's. Maybe that's the cause?
  • how to monitor if this script failed
    1 Posts | Last post December 28, 2017
    • I am using Version 2.6. We have plenty of users in AD. Is there a way to monitor failure of this Script? Perhaps a try catch section in the code that sends an e-mail to serveremergencies@****.com when an error is encountered? Or if the task scheduler can send failure alerts, that would work too. Please let me know how we can modify the script.Thanks!
  • Remote Domains
    1 Posts | Last post December 20, 2017
    • We have a large number of forests.  Is there a way to easily select a remote domain without having to RDP to a domain controller in the remote domains?
  • Feature Request
    2 Posts | Last post December 20, 2017
    • This may cost a pint or two.
      
      My feature request is a switch to email the AD manager too. The first option would be to email every time a user is emailed. The second would allow you to select which interval the manager is emailed.
      
      Thank you!
    • drop me a line, https://windowsserveressentials.com/support with a bit more info on what you want to see.
  • Running the Script
    2 Posts | Last post December 15, 2017
    • What would be the basic steps to run the script? Do I need to run it in Powershell or Active Directory Powershell module or Azure AD Powershell? Also, is there a way to configure the script for testing so that I can use my email address and then set it up for the domain users? Sorry if this seems basic. However, I do not follow what procedure to use when to start. I'm in an Office365 environment so I'm using the smtp.office365.com as my server but it does not send a test to my email
    • Yes you need the ActiveDirectory PowerShell Module, i dont think it works in Azure AD because last time i checked they don't publish all the relevant password date info.
      
      
  • What about multiple expiration windows?
    9 Posts | Last post December 14, 2017
    • Could this script be modified to send notifications 7 days, 3days and 1 day prior to expiration?  What would that look like?
    • Yes this is possible to do, lots of questions and answers below on that.
      
      
    • Also, I am getting the following errors in the script:
      You cannot call a method on a null-valued expression.
      At C:\pwnotify\PasswordChangeNotification.ps1:190 char:41
      +     $samLabel = $samAccountName.PadRight <<<< ($padVal," ")
          + CategoryInfo          : InvalidOperation: (PadRight:String) [], RuntimeE
         xception
          + FullyQualifiedErrorId : InvokeMethodOnNull
      
      Add-Member : Cannot bind argument to parameter 'InputObject' because it is null
      .
      At C:\pwnotify\PasswordChangeNotification.ps1:207 char:27
      +         $user | Add-Member <<<<  -MemberType NoteProperty -Name SendMail -Val
      ue $errorMessage
          + CategoryInfo          : InvalidData: (:) [Add-Member], ParameterBindingV
         alidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
         icrosoft.PowerShell.Commands.AddMemberCommand
      
      Export-Csv : Cannot bind argument to parameter 'InputObject' because it is null
      .
      At C:\pwnotify\PasswordChangeNotification.ps1:226 char:32
      +     $notifiedUsers | Export-CSV <<<<  $logFile
          + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingV
         alidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
         icrosoft.PowerShell.Commands.ExportCsvCommand
      
      Any thoughts?
    • Nevermind...  I'm a dope.
    • i Just updated to version 2.6 including a new parameter to do this, interested to hear what you think.
      https://www.youtube.com/watch?v=zbySaQ2qWA4
    • Bro...  That's BRILIANT!  Thank you so much.
    • Alright...  One more question.  I'm getting this error:
      
      Method invocation failed because [System.Object[]] doesn't contain a method named 'Contains'.
      
      Any Ideas?
    • Which OS are you using?
    • Have the exact same error, have you found the reason of that?
      I am running Windows Server 2008 r2 w/SP1 AD
      PS: already tried the latest version of the script.
1 - 10 of 345 Items