Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(138)
61,987 times
Add to favorites
Active Directory
11/3/2017
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Updated Configuration Guide
    1 Posts | Last post Wed 10:21 AM
    • Hi Robert, 
      
      Thanks for the fantastic script! I was wodering if there was an up-to-date config guide for version 2.7?
  • Script not running
    2 Posts | Last post Mon 12:06 PM
    • Hello Robert, first of all Thank you for the script. I'm Running into a errors executing the script in powershell, hoping you can help. 
      
      This is what I'm running
      
      PasswordChangeNotification.ps1 -smtpServer smtp.office365.com -expireInDays 21 -from "IT Support <donotreply@domain.com>" -Logging -LogPath "c:\scripts\passwordnotification" -testing enabled -testRecipient admin@domain.com
      
      I receive the followings error every time, either on my admin server or DC
      
      
      C:\Scripts\PasswordExpiration\PasswordChangeNotification.ps1 : Cannot process argument transformation on parameter
      'status'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter". Boolean
      parameters accept only Boolean values and numbers, such as $True, $False, 1 or 0.
      At line:1 char:199
      + ... g -LogPath "c:\scripts\passwordnotification" -testing enabled -testRe ...
      +                                                           ~~~~~~~
          + CategoryInfo          : InvalidData: (:) [PasswordChangeNotification.ps1], ParameterBindingArgumentTransformatio
         nException
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,PasswordChangeNotification.ps1
      
      
      Admin server info:
      Windows Server 2008R2
      PS version: 5.1.14409.1005
      
      DC server info:
      Windows server 2008R2
      PS version 2
      
      Any input would be much appreciated!
      
      Thank you
      
    • You do not need to have 'enabled' after -testing.
  • Search AD Members without Addresses
    3 Posts | Last post May 18, 2018
    • Hi Robert, 
      
      In my environment i have a lot of "Generic" accounts and a lot of them don't have email addresses enabled.
      Is there a way to report and inform a User (IE Site manager) of expiring passwords?
      Or will i need to add the managers email to the AD Accounts?
      
      Thank you in advance for your help
      
      
    • Try specifying -testrecipient this should apply to anyone who does not have an email address stored in AD.
      Alternatively yes you could update AD to include the email address you want them sent to.
    • Thanks for your reply back, quick question, where would i apply this?
  • Will this work with Fine Grained Password Policies
    2 Posts | Last post May 18, 2018
    • Hi Robert,
      
      First let me echo what probably countless admins and engineers have said and say just how much I appreciate this script.  I've had it running in my environments for 18 months or so and it just works. Has saved our team tons of work.
      
      My question:  will this work FGPPs.  I'm going to start using them in one of the domains I have your script setup in.  Will it be able to read the different policies and email accordingly?
      
      Thanks
    • Yes it checks each users individual password policy if present.
  • Searchbase against members of an AD Group
    4 Posts | Last post May 16, 2018
    • Hi Robert
      
      I have looked through the list of queries from others and am unable to find an answer to my query - so apologies if I have missed it.
      
      Is it possible to do a -searchbase on  members of an AD Group as opposed to an OU?
      I have it working on OU filtering but by the  design of our directory limits me on using the OU searchbase - if you have any input on this is greatly appreciated.
      
      Thanks in advance
    • No -searchbase is just for OUs.
      
      What you can do, which i explain in a video, is create an array to store a list of Groups, then run Get-ADGroupMember against each group, and add each member to $users.
      
      This video is based on the older version of the script, but the process/logic is the same.
      
      https://www.youtube.com/watch?v=4CX9qMcECVQ
    • Hi Robert thanks a mill this has worked as expected - great job!
      now to get it working as a scheduled task - thanks again!
    • Have followed your video for task scheduler and copied syntax and all is working like a charm - https://www.youtube.com/watch?v=3ia-cJbf5Ng
      thanks again!
  • Email Users with Expired Password
    1 Posts | Last post May 10, 2018
    • What changes are required so to identify and email users with an expired password?
      
      Suggested lines by Jean-Francois Michaud is not working as script is already filtering users with an expired password.
      
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
      
      Thanks in advance
  • SMTP server error
    2 Posts | Last post May 09, 2018
    • I did the testing on a windows 10 box in testing mode before fully deploying to the final resting place.  I have the task running on a DomainController running Server2012 and everything setup as it was in Win10 testing environment.
      
      The error I get is
      
      The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Client was not authenticated
      
      I followed one of the videos and created an SMTP alteration but that seems to give me the same error.  Does the account just need to be able to access SMTP server or have an email account on the SMTP server?
    • The account needs permission to relay email. So, if it is a gmail smtp server, it would need to be gmail credentials.
  • Added when value is negative
    2 Posts | Last post May 08, 2018
    • Dunno if it was already supposed to work, but I've added and it seam to be ok...
      
      if ($daysToExpire.Days -le "-1")
          {
               $userObj | Add-Member -Type NoteProperty -Name UserMessage -Value "Expired"
               }
      When the value to change the password is negative (in days) 
    • it should filter out those with expired passwords, but as you mention, it could be a cultural/date display issue.
  • Not getting the $messageDays
    4 Posts | Last post May 06, 2018
    • I've managed to get it running but the only things that don't work is that I'm unable to have the $messageDays value in
      
      Dear $name, <> Your Password will expire $messageDays<>
      
      and in
      
      $subject="Your password will expire $messageDays" 
      
      The value is blank
      
      For now i'm in testing mode...
    • In the console output I have this result...
      
      UserName Name     EmailAddress       PasswordSet         DaysToExpire ExpiresOn          
      -------- ----     ------------       -----------         ------------ ---------          
      1    user1       User1@domain.com    2013-05-03 09:03:37        -1707 2013-08-31 09:03:37
      2    user2       User2@domain.com    2013-12-19 11:33:51        -1477 2014-04-18 11:33:51
      3    user3       User3@domain.com    2015-06-09 12:21:33         -940 2015-10-07 12:21:33
      4    user4       User4@domain.com    2016-07-04 09:45:51         -549 2016-11-01 09:45:51
      5    user5       User5@domain.com    2017-08-15 10:26:26         -262 2017-08-15 10:26:26
      6    user6       User6@domain.com    2017-08-28 11:14:51         -249 2017-08-28 11:14:51
      7    user7       User7@domain.com    2017-10-10 12:15:23          -86 2018-02-07 12:15:23
      8    user8       User8@domain.com    2018-01-08 09:55:57            4 2018-05-08 09:55:57
    • Well I think it's because of the Culture Language...(I have a french-CA OS)
      
      Is there a way to output to French date
      
      
    • Well I've added those lines
      
      [System.Threading.Thread]::CurrentThread.CurrentUICulture = $culture
          [System.Threading.Thread]::CurrentThread.CurrentCulture = $culture
      }
      
      Set-Culture en-US
      
      Working great!!!
  • Modify script for certain OU or users
    4 Posts | Last post May 02, 2018
    • HI, How could i change this to only look at a OU or specific users . I have about 5 users i need to run against . Thank you!
    • Yes you can use -searchbase for the get-aduser command. 
      
      Example:
      Get-AdUser -filter * -SearchBase "ou=myou,dc=domain,dc=com"
    • I have tried this but i get errors, do i leave the rest of the code after the * -SearchBase "ou=myou,dc=domain,dc=com" like the -properties string and so fort?
    • Yes.
      
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -searchBase "ou=myou,dc=domain,dc=com" -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
1 - 10 of 399 Items