Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(147)
72,506 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Not sending email when task scheduler, or batch file used to run
    1 Posts | Last post Sat 1:32 AM
    • I did see other comments that this issue has happened to others, I don't know If I saw an answer. I can run the script from a PowerShell console, it sends email to users with expiring accounts, but when using it with task scheduler, it logs the email as "skipped interval" I am calling from a batch file, using this syntax
      cd C:\Pscript
      powershell.exe -file C:\Pscript\PasswordChangeNotification.ps1 -smtpServer [FQDN of internal server name] -expireInDays 10 -from "Password Change <help@mydomain.com>" -Logging -LogPath "c:\SMTPFiles" -reportTo report@mydomsin.com -interval 0,1,2,5,6,7,8,10
      
      any comments to what is my error would assist greatly, thank you in advance
  • only 1 user Object Found
    2 Posts | Last post Fri 10:10 PM
    • Ran script and it is only finding 1 user object. 
      I then tried running it as administrator and now it shows 28 user objects. However this domain has 100+ user accounts. It is also saying 0 users to notify when a manual report shows users will expire tomorrow. 
      
      Thank you for your assistance. 
    • Answering my own question.. Basically the script was working fine I had a misconception about the company 28 user objects were correct and so was the 0 notifications for my set time of 15 days. However I will share some new info I was able to change the smtp port for so this would work on an Azure server. Added in the Port parameter and moved the other parameters down.
      
      param( 
          # $smtpServer Enter Your SMTP Server Hostname or IP Address 
          [Parameter(Mandatory=$True,Position=0)] 
          [ValidateNotNull()] 
          [string]$smtpServer, 
          # $Port Enter Your SMTP Server port number 
          [Parameter(Mandatory=$True,Position=1)] 
          [ValidateNotNull()] 
          [string]$Port, 
          # Notify Users if Expiry Less than X Days 
          [Parameter(Mandatory=$True,Position=2)] 
          [ValidateNotNull()] 
          [int]$expireInDays, 
          # From Address, eg "IT Support <support@domain.com>" 
          [Parameter(Mandatory=$True,Position=3)] 
      
      ect. res of the Param( section is the same just the Position numbers moved up one. 
      
      With this change the following command works. 
      
      Powershell.exe -ExecutionPolicy Bypass c:\PasswordExpire\PasswordChangeNotification.ps1 -smtpServer smtp.srvr.com -Port 2500 -expireInDays 15 -from support@techguyIT.com
      
  • Send Mail Failure
    2 Posts | Last post Fri 2:55 AM
    • I apologize if this has been answered before, but I did not see it posted here.
      I am unable to get the send mail function to work correctly. I've made a few different modifications, but I continue to get this error even with the 'stock' script downloaded from here.
      "An invalid character was found in the mail header: '<'."
      I can't seem to find which '<' is causing the send mail piece to have issues. Have you seen this before?
      Thanks!
    • Please disregard. I was simply missing the trailing '>' on the From address...
  • Get-ADDefaultDomainPasswordPolicy may not work for AWS provisioned domains
    1 Posts | Last post March 16, 2019
    • Hi!
      Just wanted to let you know that AWS doesnt' allow to modify default domain policy in their provisioned Windows AD. Instead they only give you permissions to administer only one OU so the Get-ADDefaultDomainPasswordPolicy always returns 42 days.
      Apparently they have something blocking the Get-AduserResultantPasswordPolicy too! despite the domain level is windows2012r2
      so I had to work around that and came to a solution like that:
      
      $defaultMaxPasswordAge = [convert]::ToInt32((net accounts | ForEach-Object { if ($_ -match "^Maximum password age \(days\):\s+(\d+)$"){$Matches.1}}),10)
      
      this always returns the correct policy set by the domain group policy applied to the OU server in.
      that also works great on the domain level windows2008
  • Can you recommend how to customize your script CC. manager of user
    2 Posts | Last post March 07, 2019
    • Hi Robert | I have configured your script and everything are working normally but my leader would like to customize your script must to CC. manager of user also. Could you recommend me or not ?
      
      Thanks. 
    • Yes someone else asked that in the comments below, you need to capture the users manager from AD then get their email address and add that to the -cc
  • Cannot validate argument on parameter 'To'.
    4 Posts | Last post March 07, 2019
    • Hey Robert,  I have configured and tested w/o issue.  I receive my test notifications and all looks great.  When I go to run this live, I am receiving the following error when attempting to send to a user:
      
      Cannot validate argument on parameter 'To'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
      
      No email goes out.  I do not see a To parameter anywhere in the script however.  
      
      Where do I need to look?  or update?
      
      Thanks
      JH
      
    • -to is a parameter in Send-MailMessage, it is set to use $emailAddress.
      
      So, i would guess that one or more of your users does not have an emailaddress stored in Active Directory.
    • I am assuming you are referring to the 'mail' attribute in AD correct?  I show in the report that there are email addresses populated.  Here is one example:
      
      in 5 days.	zografoss	Sheila Zografos	zografoss@sd5.k12.mt.us	9/10/2018 7:06	5	3/9/2019 7:06	Cannot validate argument on parameter 'To'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
      
      The EmailAddress column is showing the correct address for the user. 
      
      
      
    • Are you able to use Send-MailMessage on it's own to that recipient?
  • How to Use This Script?
    2 Posts | Last post March 04, 2019
    • I have tried several time but not able to use this script properly do you have some video to understand?
    • https://www.youtube.com/user/robtitlerequired
      
      Yes, all the videos for version 2.
  • How to pass parameters
    3 Posts | Last post March 01, 2019
    • Hello 
      
      I will like to know how to pass parameters to script to send the report file to more then one person. I am using this -reportto FirstEmail@domain.com;SecoundEmail@domain.com  but doesn't work.
    • Im fairly sure it is a comma separated list that Send-Mailmessage supports, not semi colon. However the parameter is expecting a string, so you may need to enclose your list inside quotes.
      
      -to "recipient1@domain.com,recipient2@domain2.com"
    • Hi Gary ,
      at the bototm pf the script
      $reportBody = "Password Expiry Report Attached"
              try{
                  Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo.Split(",") -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
              }
              catch{
                  $errorMessage = $_.Exception.Message
                  Write-Output $errorMessage
              }
      
      
      change $reportTo  to  $reportTo.Split(",")   and add recipients by comma separated values on your task scheduler arguments  like this : 
      "C:\scripts\PasswordChangeNotification.ps1 -smtpServer <your.smtp.server> -expireInDays 11 -from 'your@mail.com' -Logging -LogPath 'c:\logFiles'  -reportTo 'rec1@domain.com,rec2d@domain.com,rec3@domain.com' -interval 1,2,5,10"
      
      had the same issue and it is now solved. Robert if possible ammend that for your next version.
      
      
  • Task scheduler Access Denied
    6 Posts | Last post February 28, 2019
    • Hi I've been able to get the script running explicitly running from powershell itself and have followed the youtube guide for this.
      
      However when I try to execute my script with my custom AD user (everything is hosted on the domain controller) it gives me access denied.
      
      Task Scheduler failed to start instance "{instance id}" of "\Password expiry email"  task for user "domain\passwordreminderuser" . Additional Data: Error Value: 2147942405.
      
      AND
      
      Task Scheduler failed to launch action "C:\Windows\System32\WindowsPowerShell\v1.0\" in instance "{instance id}" of task "\Password expiry email". Additional Data: Error Value: 2147942405.
      
      For my user it didn't matter if I have it set to logon as batch, logon as local service and/or allow logon locally. In addition I added it to domain\administrators Group thinking that might be preventing it from executing Powershell however it does not work.
      
      1) Under general: Run whether user is logged on or not and with Highest priveledges
      2) General is set to run with my created passwordreminderuser already with correct password entered.
      3) I set the task settings to stop the existing instance of the task if its already running
      
      See imgur album of additional details including script i'm trying to execute
      
      https://imgur.com/a/xJtmcp0
      
      I've tried numerous things such as using my domain admin to execute the script and it keeps failing with the same error, running it as logged on user. Only thing I haven't done yet is reboot the server. 
      
      And logs of course do not save when using task schedule.
      
    • Why is there an & at the begining of your command?
      
      Program/Script should just be 'powershell.exe'
      
      Please review, https://www.youtube.com/watch?v=xbzxWOarVuk
    • Hi thanks for the update and for continually working with users who implement your script.
      
      I've reverted my modifications and now have it matching your syntax. However when I go to execute it, the task completes successfully with the last run result being 0x1
    • Does the script execute?
    • Hi yes it works its way through the task scheduler process however when it executes it gives:
      
      Task Scheduler successfully completed task "\Password expirey email" , instance "{54455454-e18d-4a7c-82da-49060c7d08cf}" , action "powershell.exe" with return code 1.
    • I think I resolved it, looks like it might've been failing to execute due to execution policy settings.
      
      As per: https://stackoverflow.com/questions/13015245/powershell-script-wont-execute-as-a-windows-scheduled-task
      
      -noninteractive -nologo  -Command "&'D:\IT\Scripts\PasswordChangeNotification.ps1' -smtpServer .mail.protection.outlook.com -expireInDays 21 -from 'IT Support <support@domain.com>' -reportTo email@domain.com -interval 1,2,5,10,15 -testing -testrecipient account@clientdomain.com -logging -logPath 'D:\IT\Scripts\Log Files'"
  • Mail not working via Task Scheduler
    2 Posts | Last post February 22, 2019
    • The script works fine. When running from a command via Powershell. But the same via the Task Scheduler won't fire the e-mail. And it does domething since the log file is updated. It's just the mail that is not being send as soon as I start it up via the Scheduler.
      
      Should I use -Command or -File ?
      
      -File "C:\admin\PasswordChangeNotification.ps1" -expireInDays 21 -Logging -testing -testRecipient xxx@xxx.com -interval 1,3,7,8
      
      The other parameters are in the PS1. But the default also works the same way. Works via PowerShell, also Scheduler, except the mail.
    • I use -Command.
      
      
1 - 10 of 493 Items