Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
79,752 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Cannot process argument transformation on parameter 'logging'
    1 Posts | Last post June 24, 2019
    • Hi Robert,
      First of all thanks for the script is exactly what I was looking for,
      I'm having an issue that maybe you can help me,
      Whenever I run the script after I adjust to my company details I get this msg:
      
      C:\Scripts\PasswordChangeNotification.ps1 : Cannot process argument transformation on parameter 'logging'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and 
      numbers, such as $True, $False, 1 or 0.
          + CategoryInfo          : InvalidData: (:) [PasswordChangeNotification.ps1], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,PasswordChangeNotification.ps1
      
      Any idea what the issue can be?
  • Task scheduler script running issue
    2 Posts | Last post June 12, 2019
    • Hi Robert thanks for a great script ,appreciate the work involved in setting it up.
      I have an issue running the script in task scheduler. It works fine through powershell. When I run it in task scheduler it appears to run successfully, result (0x0), but it does not create a new log file or appear to send any email.
      Here are the parameters
      
      -ExecutionPolicy Bypass -File c:\gosys\passwordchangenotificationnew.ps1 -smtpServer aaa-com-au.mail.protection.outlook.com -from "IT Support <adminnoreply@gosys.com.au>" -expireInDays 15 -logging -logPath 'C:\GoSys' -interval 14,7,3,2,1
    • Use -command instead of -file.
  • error while running the script to connect to AD
    6 Posts | Last post June 10, 2019
    • get-aduser : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:132 char:10
      + $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverE ...
      +          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADUser
      
      Found 0 User Objects
      Get-ADDefaultDomainPasswordPolicy : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:137 char:27
      + ... swordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxP ...
      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (BIZWESTAD:ADDefaultDomainPasswordPolicy) [Get-ADDefaultDomainPassw
         ordPolicy], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADDefaultDom
         ainPasswordPolicy
    • Sounds like you have an older domain, maybe 2008?
      You need AD Web Services in able to use PowerShell AD Cmdlets.
      https://blogs.msdn.microsoft.com/adpowershell/2009/04/06/active-directory-web-services-overview/
    • Hi Robert 
      
      Thanks for the reply , We are using active directory on windows 2016 .
      also  ADW service was not running , i started it .
      but still its not working .
      when i try to execute the command from powershell it returns below error 
      PS C:\Users\administrator.BIZWESTAD> Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'Inacti
      veClientData_SQL:636'
      Get-ADUser : Server instance not found on the given port.
      At line:1 char:1
      + Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   - ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
          + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
         ands.GetADUser
      
    • You need to refine your Get-ADuser query so that it returns results.
    • Hi Robert 
      
      can you give me some more clarity ?
    • The script relies on results from Get-AdUser.
      
      If your get-aduser command produces an error, or no results then the script has no data to work with.
      
      Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'InactiveClientData_SQL:636'
      
      So your command is generating an error from the -server parameter.
      Is this actually your server address? 'InactiveClientData_SQL:636' 
      
      What if you omit that parameter, does it return results?
  • Searching only specific group users
    2 Posts | Last post June 06, 2019
    • Anyway to filter this to only look at accounts in a specific group rather than the whole domain?
    • Yes, easy.
      This was made for the earlier version, but the method still works.
      https://www.youtube.com/watch?v=4CX9qMcECVQ
  • task scheduler
    2 Posts | Last post June 06, 2019
    • Great script  - 
      it runs fine within powershell 
      however its doenst run when i put it into task scheduler
      
      this is the command im entering 
      
      -Command "d:/scripts/PasswordChangeNotification.ps1 -smtpServer nhex03 -expireInDays 21 -from 'IT Support<noreply@etelimited.co.uk' -reportTo paul.webber@etelimited.co.uk -status -interval 1,2,5,7,15"
      
      
    • d:/scripts/PasswordChangeNotification.ps1
      
      try
      
      d:\scripts\PasswordChangeNotification.ps1
  • subject line "."
    2 Posts | Last post May 23, 2019
    • I get a . on the subject line of the email, not sure how to get rid of it . any help or pointers as to how to get the period off the subject line . 
    • just a "." or is that included in the subject?
      
      what is $subject set to?
      on the send-mailmessage line, what is -subject set to?
  • Not sending email
    2 Posts | Last post May 23, 2019
    • Great script. Log File is showing Sendmail = Ok, but there is no email send when using the -interval option.
      
      Powershell.exe -Command C:\Path\PasswordChangeNotification.ps1 -smtpServer smtp.server.nl -expireInDays 28 -from "helpdesk@domain.com" -Logging -LogPath "C:\path\LogFiles" -testing -testRecipient test@domain.com -interval "0,1,7,14,28"
    • dont put the interval inside quotes.
  • Multiple email domains, one AD domain
    7 Posts | Last post May 21, 2019
    • Great script, been using it for several months now and the amount of requests from users who are locked out because they didn't change their password in time has decreased. However, I just noticed that some folks aren't getting the notification because their email domain is not the same as the primary domain. My AD domain is mycompany.int. User log-in accounts are first.last@mycompany.com, or a subsidiary company first.last@othercompany.com. I happen to have @othercompany.com for my email address. I received the pop-up to change my password as it was expiring in the taskbar, so I do get Windows alerts. I did not notice my address in the daily password report I run, and I also noticed no other users with @othercompany.com addresses have appeared. I think they did at one time, and so maybe it's an O365 change, as I didn't make a change in your script. Would there be some reason why your script only sends to @mycompany.com email addresses? The account I use to send the alerts to users and the daily report is password.reminder@mycompany.com. The only time an email wasn't sent out was when the email field of the user account was blank. Any way to make sure all users, even the @mycompany.int ones, which I know will fail, will get an email? The @mycompany.int accounts are admin accounts, and I can email those user's regular account to let them know to change the admin account password. Thanks again for the great script.
    • It will attempt to send the message to whatever $emailAddress is set as. The log should tell you what address the notification was sent to, or attempted to be sent to.
      
      It is possible if the domain is external it wont allow you to relay emails, and you will need to use authentication.
    • Log doesn't show attempts to send to any of the @othercompany.com domains - they are still internal, just another domain on the DC. Users with the @othercompany.com domain are mixed in the same OU, so it's not having to check a specific one.
      
      Is there a way to run the script to check for a specific user? Then I see if it finds the handful of @othercompany.com users.
    • Might need more info on your environment.
      
      Are all your email domains on Office 365?
      Are all the email addresses stored in AD?
    • Sorry for late reply. Email domains on O365, email addresses stored in the "E-Mail Address" field on local AD. I run the script from the DC as well.
    • Are you able to use powershell send-mailmessage to email that domain seperately to the script?
    • Yes, Tried a test message to @othercompany.com from password.reminder@mycompany.com, and it came through. I get the daily reports as well, and my email is myemail@othercompany.com.
  • clarification about the testing parameter
    2 Posts | Last post May 20, 2019
    • hi Robert
      
      I will be trying your script for first time
      If I run the script with 'testing' enabled and specify a 'testrecipient' then the script will send mail only to the test recipient with the list of users that will be sent reminder mail ?
      
      thanks
    • It should send the individual emails that would otherwise go to each user, to the test recipient.
  • Results in Body no Attachment
    2 Posts | Last post May 10, 2019
    • Hey Robert,
      
      Thanks for this helpful script. Is there a way to place the results into the body of the email that gets sent to IT, rather than an attachment. It would be easier to view on mobile devices if the results were just in the body.
      
      Thanks again,
      Shane
    • Yes you could do something like...
      
          {
              $reportSubject = "Password Expiry Report"
              $reportBody = "<html>
                             <table>
                             <th>UserMessage</th>
                             <th>UserName</th>
                             <th>Name</th>
                             <th>Email</th>
                             <th>PasswordSet</th>
                             <th>DaysToExpire</th>
                             <th>ExpiresOn</th>
                             <th>SendMail</th>"
                             
      
              foreach ($obj in $notifiedUsers)
              {
                  $rmessage = $obj.UserMessage
                  $ruserName = $obj.UserName
                  $rname = $obj.Name
                  $rEmail = $obj.Email
                  $rPasswordSet = $obj.PasswordSet
                  $rDaysToExpire = $obj.DaystoExpire
                  $rSendMail = $obj.SendMail
                  $reportBody = $reportBody + "<tr><td>$rUsername</td><td>$rName</td><td>$rEmail</td><td>$rPasswordSet</td><td>$rDaysToExpire</td><td>$rSendMail</td><td>$rUserMessage</td></tr>"
              }
              $reportBody = $reportBody + "</table></html>"
              try{
                  Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
              }
              catch{
                  $errorMessage = $_.Exception.Message
                  Write-Output $errorMessage
              }
          }
21 - 30 of 531 Items