Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
78,277 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Action if no email address in AD object
    3 Posts | Last post Mon 7:52 PM
    • Hi Robert,
      
      Great script, been using it and it works perfectly.
      I have a case where I need the script to send the email to a specific email address if the email address field in AD is empty. Probably an easy way to do this, could you help, please?
    • By default if AD does not have a valid emails address, it will send to $testRecipient.
    • In the script we have this line:
          # If a user has no email address listed
          if (($emailaddress) -eq $null)
          {
              $daystoexpire = "100"    
          }# End No Valid Email
      
      Can I change this to:
      if (($emailaddress) -eq $null)
      {
      $emailaddress = "email@company.com"
      }
      
      And it should work, yeah?
  • Password Expired
    4 Posts | Last post Mon 5:33 PM
    • Hi Robert, what about expired passwords? I tried to set the expireInDays 0 and accounts were not listed
      
    • You need to review the get-aduser cmdlet, there is a 'where-object' applied which filters out expired passwords. 
      
      Also expired passwords are likely to have a negative value for $expireInDays.
    • Hi Rob, I have tried that to no avail. It shows the Expire in Days: -200 but yet 0 users are processed. I know that the there are users who passwords are expired. 
    • okso try this,
      
      get-aduser -filter * -properties passwordlastset,passwordexpired | select name, passwordlastset,passwordexpired
      
      what do you get?
      
  • User name format in email
    2 Posts | Last post Mon 4:40 PM
    • I'm looking to implement this script on our network, and am just doing some testing before rollout.
      One quick thing. I'd like to change the format of the email contents so it starts with 'Dear <firstname>, rather than the current 'Dear <surname, firstname,>. I'd feel using the A/D attribute 'givenName' would be better, but can't seem to get that to work in your script.
      Example, at the moment, the email looks like;
      
      Dear Doe, John,
      
      Thanks
    • Just add a line around 149,
      
      $givenName = $user.GivenName
      
      Then change Dear $name, to Dear $givenName,
  • I am able to send report to the mentioned email but not able to send email to test recipient or users directly
    7 Posts | Last post August 20, 2019
    • I am able to send report to the mentioned email but not able to send email to test recipient or users directly
      I am using below command
      .\PasswordChangeNotification.ps1 -smtpServer "mail.xyz.com" -expireInDays 21 -from "Windows.admin@xyz.com" -Logging -LogPath "C:\PasswordLogs" -reportTo "shweta@xyz.com"
      
      The report which is generated shoes Skipped-interval in send mail tab against each user whos password is getting expired
    • Can send the log and script to https://windowsserveressentials.com/support
    • I had the same issue using the the following syntax:
      
      -smtpServer smtphost.ourdomain.example -expireInDays 21 -from "Someuser AD<noreply@ourdomain.example>" -Logging -LogPath "c:\temp\pwdreminder" -reportTo myself@ourdomain.example -interval 0,1,2,5,10,15
      
      Adding -status at the end of the parameter list seems to have gotten over the issue. I have not looked at the code to see why that would be, but it seems to do the trick.
      
      -smtpServer smtphost.ourdomain.example -expireInDays 21 -from "Someuser AD<noreply@ourdomain.example>" -Logging -LogPath "c:\temp\pwdreminder" -reportTo myself@ourdomain.example -interval 0,1,2,5,10,15 -status
      
      
    • Disregard my previous statement - adding status to the command line did not help. 
      
      The problem was caused by running the script with the "-file" method than "-command". When using the "-file" method the -interval paramenter is corrupted/ignored if using more than one interaval.
      
      So the command for the scheduled task should be something along the line of: 
      
      powershell.exe -command "C:\scripts\PasswordChangeNotification.ps1 -smtpServer mail.example.com -expireInDays 21 -from 'Password Notify<noreply@example.com>' -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status"
      
      and not: 
      
      powershell -file "C:\scripts\PasswordChangeNotification.ps1" -smtpServer mail.example.com -expireInDays 21 -from "Password Notify<noreply@example.com>" -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status
      
      Pay attention to how you enclose the command with quotes, as the entire text following -command should be qouted with doubleqouetes, and any parameter inside with spaces shoud use single quotes.
      
      See this video for details: https://www.youtube.com/watch?v=xbzxWOarVuk
      
    • Solution to T Nilsen works. Tested and confirmed ok. Thanks T Nilsen!
      
      powershell -file "C:\scripts\PasswordChangeNotification.ps1" -smtpServer mail.example.com -expireInDays 21 -from "Password Notify<noreply@example.com>" -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status
      
      Pay attention to how you enclose the command with quotes, as the entire text following -command should be qouted with doubleqouetes, and any parameter inside with spaces shoud use single quotes.
    • Correction:
      powershell.exe -command "C:\scripts\PasswordChangeNotification.ps1 -smtpServer mail.example.com -expireInDays 21 -from 'Password Notify<noreply@example.com>' -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status"
    • Yes, in fact i have never suggested using -file, and the videos i have made on scheduling all use -command.
  • prompt request window of user credential when run powershell
    2 Posts | Last post August 15, 2019
    • Hi Robert,
      I have a question.
      the prompt request  window of user credential when run powershell,prompt 12 time same the users count. 
      thank you.
    • is that when it is trying to send an email?
  • 5.7.57 SMTP; Client was not authenticated
    2 Posts | Last post July 29, 2019
    • Hi,
      
      I've been using this script some months now but on 04/07/2019 it stopped working.
      
      Error:
      The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM [AM0PR04CA
      0023.eurprd04.prod.outlook.com]
      
      This is the scheduled task:
      C:\Scripts\PasswordChangeNotification.ps1 -smtpServer smtp.office365.com -expireInDays 7 -from 'IT Services <itservices@xx.xxx>' -Logging -LogPath 'C:\Scripts\Logs'-reportTo itservices@xx.xxx -interval 7,5,3,1
      
      * Scheduled task runs on Windows Server 2012R2 (Domain controller)
      * Email service: Office365 (Cloud)
      
      Any idea why it stopped working?
      I've searched Q&A but didn't found a solution.
    • You may need to review smtp ceredentials, tls, and the port number for office 365.
  • TLS deprecation
    3 Posts | Last post July 23, 2019
    • Robert, you script has been working great for my organization, but the TLS SMTP Authentication it uses is one be deprecated by Microsoft - https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Investigating-TLS-usage-for-SMTP-in-Exchange-Online/ba-p/609278
      
      Any tips/hints on a work around for this or an update to the script so that it will use TLS 1.2?
    • Please see below Q&A there is some guidance.
    • Found it. Thanks.
  • 2 domains, one email server.
    7 Posts | Last post July 11, 2019
    • Robert
      
      I have been using your script for a few years and it works great.  We recently added a new firm utilizing much of our IT infrastructure.  We have setup a domain trust between Domain A and Domain B.   Domain A is the one I have been using for a while with no issue.   I have setup the same script with the same switches to run on Domain B using the Same SMTP server by IP address.   When I run the script on Domain B I see the log is generated for the correct users within Domain B.  However, IF a password is set to expire within the "SendEmail" window I am receiving the following error.   "Unable to read data from the transport connection: net_io_connectionclosed"  I am also not receiving the email report.   Any advice from anyone would be greatly appreciated. 
      
      Bryan
    • Side note we are using Linked mailboxes for Domain B on the Exchange Server.
    • Where in DomainB is the script running and does it have permission to connect to the SMTP server?
    • Robert
      
      I have the script running directly on the DC of domain B.  It should have permission to the SMTP server as it is serving Domain B users regular email.   
      
      Here is what happens when I try to run just the Send-Mail command directly on the server that is running the script.   I am using the IP address of the SMTP server
      
      
      Send-Mailmessage -smtpServer x.x.x.x -from adminaccount@domainb.com -to user@domainb.com -subject HardTest -body blahahahaha -bodyasHTML -priority High | Add-Member -MemberType NoteProperty -Name SendMail -Value "OK"
      Send-Mailmessage : Unable to read data from the transport connection: net_io_connectionclosed.
      At line:1 char:1
      + Send-Mailmessage -smtpServer x.x.x.x -from adminaccount@domainb.co ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
          + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
       
      
      
      
    • Do you have any logs from the smtp server?
    • I do and it states account not found, but gMSA's can not have email boxes. 
      Any suggestions?
      ,"220 ExchangeServer.Domain.local Microsoft ESMTP MAIL Service ready at Tue, 9 Jul 2019 10:16:57 -0400",
      ,EHLO ClientServerName,
      ,250  ExchangeServer.Domain.local Hello [192.168.112.112] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
      ,AUTH ntlm,
      ,334 <authentication response>,
      ,Could not find user Domain\gMSA-01$
      ,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful. User not found',
      ,QUIT,
      ,221 2.0.0 Service closing transmission channel,
      ,Local
      ,535 5.7.3 Authentication unsuccessful. User not found,
      ,,Local
    • In that case you may need to provide credentials of an account authorised to relay email. Running the script as the gMSA should be fine, the smtp credentials can be for a different account.
  • gMSA Accounts generating Error
    2 Posts | Last post July 09, 2019
    • We have been using this PowerShell script for about a year now and it has been working with standard AD user account. Recently we have started to switch over to using gMSA (group Managed Service Accounts). It is running on a windows server 2012 R2 system and executed by a scheduled task daily. All on prem. 
      
      I import the gMSA into the scheduled task that runs this script and the script does runs from the point of view of the Task Scheduler, and the PowerShell script executes. I can see the powershell.exe running under the name of the gMSA in the task manager. However, the script reports back into the scripts log file "Unable to read data from the transport connection: net_io_connectionclosed.", and the users do not receive the email notification. The script is going out to AD and getting the names needed. Then it steps through the email process and I believe that the failure is coming from the MSA not able to communicate to exchange to send the email. I have added the MSA to the local secpol > “Log on as a batch job”. I also temporarily added the MSA to the local Administrators Group with no positive effect, so I removed it from Admin group. I also tried to add the –credentials property to the Send-mailmessage command and tried to passed it my credentials, my Admin credentials and the old service accounts credentials, and none of them were causing a positive effect. They were causing a different error message in the scripts log "Cannot process argument transformation on parameter 'Credential'. Access is denied" All this to simply say, How do I get a managed service account to run a scheduled task that runs this PowerShell script to sends e-mail messages via internal 2016 exchange.
      
      Does it have to do with the fact that the gMSA can not have a mailbox?
      does the account need specific permission to function with an gMSA?
      Thank you for your help.
    • Do you have any logs from the smtp server?
  • I wonder recipient is still test recipient.
    1 Posts | Last post July 03, 2019
    • Hi Robert,
      Thanks for the script it helps a lot for me!
      But I wonder I did set $testing = "Disabled" and $testRecipient = "<MY emailaddress>"
      I run script and it isnt going to send to $emailaddress<the user's email address> 
      even though user account has email address..
      I'm the only one can receive report and notification email.
      
      Did I make wrong?
      
      I only  add or change value as belows:
      
      # Set Output Formatting - Padding characters
      $padVal = "90"
      
      
      $smtpServer = "domain.XX.xxx"
      $expireInDays = "90"
      $from = "<EMAIL>"
      
      $logging = "Enabled"
      $logPath = "D:\PasswordExpirationNoti"
      
      $testing = "Disabled"
      $testRecipient = "<MYEMAIL>"
      
      $reportto = "<MYEMAIL>"
      $interval = 1,2,5,10
1 - 10 of 521 Items