Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
79,875 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • the lowest admin rights required
    2 Posts | Last post September 19, 2018
    • Hi
      what are the minimum admin rights required to run this script
      does it require domain admin rights 
      thanks
    • The account running the script needs the ability to read user properties on the OU your users reside in.
      
      It does not require any admin rights, you may want to add it to the backup operators group on the machine the script runs on, to allow it to logon as a batch job.
  • ReportTo
    1 Posts | Last post September 16, 2018
    • Hello, I am not very clear the function of the-report, I could explain, as I have understood according to the script sends to the account of the-reportto CSV file attached.
      
      { 
              $reportSubject = "Password Expiry Report" 
              $reportBody = "Password Expiry Report Attached" 
              try{ 
                  Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop  
              } 
              catch{ 
                  $errorMessage = $_.Exception.Message 
                  Write-Output $errorMessage 
              } 
          } 
  • Multiple Notifications Based on -like DistinguishedName
    2 Posts | Last post September 15, 2018
    • First of all - thanks for providing this script. Without it I doubt I would be able to produce anything functional for this need.
      
      That being said we have an AD environment with multiple OU's for different entities. Each of those entities have different support details and logos. One solutions is to have unique scripts to run for each entity and just update the $user query to pull based on a specific search base then just statically assign the unique variables in each script. Have that bit figured out already, and it works, but then we have to manage multiple scripts and what's the fun in that.
      
      I am curious how I could go about have the notification section start for each user by evaluating an if ($distinguishedname -like "*xxxxxxxxxxxxx" {$image=xxx $supportnumber=xxxx etc} elseif so on and so forth, then pass the right variables into the creation of the message.
      
      I will admit the whole technet gallery bit is new to me, and I'm not sure of an efficient way to search through the Q and A to see if this has been address already (other than scrolling page by page).
      
      Any help in either finding where this is already addressed, or in architecting a solution is greatly appreciated. 
      
      Ben
    • I dont think there are many questions like this - there are some on targeting OUs but not on changing variables based on OU. I think you are along the right lines with your current thinking.
  • Time
    2 Posts | Last post September 14, 2018
    • Good morning I have running script with testing option, immeditely answer on the shell how may users have password expiring in 14 days but it still in this windows no answer no logs no email
      Thanks in advance
      Davide
    • Sorry only take a time, after 20 minutes i have answer...I was thinking take a little bit time. Sorry
      
  • Different result
    4 Posts | Last post September 14, 2018
    • Hi Robert,
      
      I tested the script below in Powershell ISE, it seems to run correctly and send notification.
      
      c:\temp\PasswordChangeNotification.ps1 -smtpServer x.x.x.x -expireInDays 13 -from 'IT Support <test@xxx.com>' -Logging -LogPath 'c:\temp\logs' -reportTo test@xxx.com -interval 1,3,5,7,8,9 -testing -testRecipient test@xxx.com -status
      
      However, when I put this in schedule task with the action below, it doesn't send notification, the "PasswordSet" and "ExpiresOn" show exact same date and time, then "DaysToExpire" show negative.
      
      
      powershell.exe -command "c:\temp\PasswordChangeNotification.ps1 -smtpServer x.x.x.x -expireInDays 13 -from 'IT Support <test@xxx.com>' -Logging -LogPath 'c:\temp\logs' -reportTo test@xxx.com -interval 1,3,5,7,8,9 -testing -testRecipient test@xxx.com -status"
      
      For testing, instead of reading the day from policy, I hard coded the Default Max.Age to 10 days.  I have couple test users that their "PasswordSet" date on 5 sept and 7 sept 2018.  
      
      The condition are exactly the same, any reasons why the results are so different?
      
      Patrick
      
      
    • any suggestion?
    • Nope sorry that makes no sense to me.
    • Hi Robert, I found an incorrect line of code that I modified, so now the script fixed and working well.
      
      I am trying to get the report (only the report) to send to 2 email addresses, so I tried -reportTo 'test@xxx.com;test2@xxx.com', but it didn't even send the report.  
      
      If I need to use CC, will it send the notification email as well?  Anyway I am not sure how to put in this CC as parameter for sending report.
      
      Could you please help?
      
  • Credentials
    4 Posts | Last post September 12, 2018
    • How can i ask the user to enter their credentials in the script for a third party email service - such as Sendgrid ?
    • You can use the Get-Credential cmdlet.
    • Where exactly to use ? And anything in the argument when scheduling a task ? 
    • You can use this method when scheduling the script.
      
      https://www.youtube.com/watch?v=_-JHzG_LNvw
  • A way of CC to a generic email
    5 Posts | Last post September 10, 2018
    • Hi Robert,
      
      Script looks great, I haven't used it as of yet but plan to. I was wondering if there is a way of adding a single email address that all password notifications get copied into. Without having to add it to Active Directory
      
      We just want a copy off all the password reset emails that get sent out to the users so we can forward it on to them if they say they never received the email. We want to use this alongside the reportto function.
      
      Thanks
    • You can use the report function, or you can add a -cc to the send-mailmessage line 246 or 268 etc.
    • Hi Robert,
      
      Thanks for this. I am having trouble with the script. It runs fine but will not send emails. It has this error (the error is in the log file only): 
      "The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM [VI1PR0401CA0014.eurprd04.prod.outlook.com]"
      
      I have followed your SMTP credential guide and checked it and re followed the steps multiple times, just incase, and cannot figure out why it is not working. The email I am sending from is mine and I have full email and admin rights on our SMTP server (Office365)
      
      Any Ideas?
    • Have you tried creating a client connector in 365 which allow unauthenticated smtp? Just for testing.
    • Hi Robert,
      
      Just an update. I changed the smtp server to our MX record and it worked fine. I was originally using smtp.office365.com I did have to add the email sending out as the safe sender as it was putting all of the reminders into junk.
      
      Thanks
  • there is anyway to activate the script only for specific user?
    1 Posts | Last post September 06, 2018
    • there is anyway to activate the script only for specific user?
      
      Thank You
      
      Gil
      
  • Testing the notification function
    5 Posts | Last post September 05, 2018
    • Hi all, I tried modified the script and kind of worked the way I need, however I couldn't work a way to perform a full test run, wondering if someone could help.
      
      Most of the AD users are on never expired, so I created a test AD account, a new OU and a test GPO linked to the new OU (with max.pwd age set to 7 days for example)
      
      Firstly, I don't know why the test account PwdLastSet date is showing the same as ExpiresOn date, so the DayToExpires date is showing 0 day. Obviously, it can't send notification, even the script throw exception for null-valued
      
      Found 1 User Objects
      Domain Default Password Age: 
      Process User Objects
      1 Users processed
      1 Users with expiring passwords within 0 Days
      You cannot call a method on a null-valued expression.
      At C:\temp\PasswordChangeNotification.ps1:245 char:41
      +     $samLabel = $samAccountName.PadRight <<<< ($padVal," ")
          + CategoryInfo          : InvalidOperation: (PadRight:String) [], RuntimeException
          + FullyQualifiedErrorId : InvokeMethodOnNull
      
      
      Secondly, as for testing I didn't use the Default Domain Policy, instead I would like the script to get from the new GPO, but I couldn't get it to retrieve the max.pwd age date.
      
      Thirdly, how is it possible for the script to obtain users from TWO specific OU?  The reason being that we have separate OU for two offices, and different users are under two OU folders
      
      The script as it is, I can run it and schedule to run, and it will gather a list of users and details, but I couldn't see the notification email to user at this stage.
      
    • You need to research on having multiple password policies defined, and look at fine grained password policies.
      
      For searching multiple OUs, you can scroll through the Q&A as there and many examples of how to do this.
    • Thanks Robert.
      
      The log report has a title of "#TYPE System.Object", I am not sure where it got from, but is it possible to change to something more meaningful?
      
      BTW, great script, thank you so much.
      
    • One more question, since I am running this for 2 OUs, the script generate separate email report for each OU, it would be very helpful if the report filename could append with the targeted OU name, is this possible?
    • #TYPE System.Object
      This is because PowerShell is exporting an Object to CSV format.
      
      Yes it is possible to rename the log but would be quite complicated to explain here.
  • Incorrect days to expire
    2 Posts | Last post September 04, 2018
    • Hello,
      
      Does the script work for a max password age of 365 days?
      The user DaysToExpire values returned by the script are incorrect.
      The value Default Password Age is correct (365)
      If I run "net user username /domain" the password expires date is correct.
      
      Where can I check this?
      Thank you!
    • Answer: Our domain has implemented fine-grained password policies.
91 - 100 of 532 Items