Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

4.6 Star
51,633 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Email Report to IT Admins?
    1 Posts | Last post 2:27 PM
    • Very grateful to you for producing this script, which works really well and has been well received by our users.
      One thing I would really like it to be able to do is email a report (basically the same 'write-output' text that goes to the PowerShell window) to an IT Admin after it has finished running. i.e so what you see on screen is put into an email and sent to a nominated email address. 
      I can modify the odd line of existing code, but this would be beyond my skills. Would it possible to add something along those lines?
      Thanks again for a great script.
  • No ADWS or LocalAccount
    2 Posts | Last post Mon 9:34 AM
    • What are my alternatives to filling up $users if I don't have ADWS(get-aduser) and don't have Microsoft.Powershell.LocalAccounts(get-localuser)?
    • Depends what sort of local accounts you want to manage.
      You can install ADWS on any 2008 DC. If you have any older DCs, you should be replacing them.
  • Send email to notified user their password already expired and
    2 Posts | Last post August 10, 2017
    • The script work fine before the expiry date. How can the script be change to carry on sending email to user after their password have expired?
    • You would need to remove the part where it filters expired passwords.
      | where { $_.passwordexpired -eq $false }
  • Testing working fine but nothing when testing switch removed
    2 Posts | Last post August 08, 2017
    • Hi,
      Great script - Used it lots in testing to make sure the info it pulls is fine. Trying to configure it as a scheduled task. Task configured as per information here and on youtube.
      If I use the script with testing enabled I get both log files in the log location and emails to the testing email address setup in the parameters. As soon as I remove the testing and testing email parameters and then try a manual run or wait for the schedule to kick in - it completes but no log file is created and no emails appear to be sent. 
      I've tried running with different user accounts including the domain admin. Any ideas as it's hurting my head!!
    • All sorted. No idea what happened, recreated the job from scratch and somehow some strange reason it worked this time.
  • How to implement this Script in the Enviroment
    1 Posts | Last post August 04, 2017
    • Hi Robert,
      A network engineer who has now left our company set this script in place and it works great. However we cannot locate on how and where it is and now need to edit. Looked in Logon, Logoff scripts\powershell, sheduled tasks, locally and Domain GPO. How would this script be placed in a GPO scheduled task or some other method?
  • No Log File, No Email Recieved
    2 Posts | Last post July 28, 2017
    • Robert, 
      Thanks for the script I'm using it but a little confused with the results I'm getting. 
      1. The scripts only finding three users, and then stating 0 users to notify. 
      2. When using testing flags I get no email. when not using testing flag I get no email.
      3. My log is empty.
      Any help would be greatly appreciated .
    • See the question below re missing users - it usually means they don't meet the criteria of the search.
      Which version do you have?
      Are you running it from PowerShell directly or through a Task?
  • Script is not working, only querying a selection of people and not entire OU
    2 Posts | Last post July 17, 2017
    • Hi, Wondering if someone can help me, I have been testing this script and have noticed it is not working as it should!
      When I run the this command:  get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
      It only returns 6 accounts, when If I understand correctly it should return all accounts in our users OU so long as their account has not got "Password Never Expires ticked". In which case it should return around 200 accounts.
      I am assuming this is why the script is not working and not emailing people when there password is due to expire as the query is not returning all values.
      Any help would be greatly appreciated.
    • If you break the command down, do you see more results?
      get-aduser -Filter *
      get-aduser -filter {(Enabled -eq $true)}
      get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)}
      get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} | where { $_.passwordexpired -eq $false }
  • why not use msds-userpasswordexpirytimecomputed?
    3 Posts | Last post July 14, 2017
    • Any reason you're not using the msds-userpasswordexpirytimecomputed attribute in AD? For some reason that value in one of our domains is an hour behind $pwdLastSet.AddDays($maxPasswordAge).
    • I don't think i knew it existed when i first wrote the script.
      I would imagine any time discrepancy is timezone based, or due to the way the script rounds the number of days to expire.
    • Just had a quick look at this, it does seem like it might be easier. However, i did a test against one user and converted msds-userpasswordexpirytimecomputed to a date time, using get-date and it returned an odd value, 13 September 0417 16:49:08, im assuming 0417 is supposed to be 2017. The value shown in ADSIEdit GUI is also different to the value shown if you pull the value out through powershell. The GUI Showing 'GMT Daylight Time' for me.
      I found a converter here which is actually pretty cool.
      So, we could do,
      $pwdEx = get-aduser $user -properties msds-userpasswordexpirytimecomputer
      $expireson = (get-date 1/1/1601).AddDays($pwdEx/864000000000)
      which would give you $expiresOn, which is the expected value in readable date format.
      It seems like a reasonable method which i may implement in future revisions.
      Get-AdUser Rob -properties msds-userPasswordExpiryTimeComputed
  • A little bug
    2 Posts | Last post July 13, 2017
    • Hi Robert,
      Thanks for the script, I have tested it.
      I think it has a small bug, because it doesn't use $LogPath variable properly.
      If you set '\' character at the end of the LogPath param, the script doesn't use it.
      Please change this code, if you agree with me:
             $logFile = $logPath + "\" 
             $logFile = $logPath + "\" 
             $logFile = $logPath
    • I think you are right but i think it is solved easier this way,
             $logPath = $logPath + "\"
          $logFile = $logPath + $logFileName
  • Negative expiration days
    2 Posts | Last post July 12, 2017
    • Hey Robert,
      thanks for this script, it works like a charm. But there is one thing I miss. We're currently rolling out our new password restrictions so they will have an expiration day. Most of our users have passwords so old, I could count up to 1000 days and more. How can I handle that? Is it possible to get the negative count for mail subject and body?
    • Hi Florian,
      Yes it is possible to get that value, but i have gone to great lengths over the life of the script to eliminate it from being sent to users.
       Line 117 $daysToExpire = New-TimeSpan -Start $today -End $Expireson
      $daysToExpire will be the value you want, which may be negative.
      Only those with a postive value are processed into the reminder stage further into the script.
1 - 10 of 299 Items