Password Expiry Email Notification

Hi Robert,

If I run the scripts, and i put the $expiredOn variable on the email, it's contains the following: 12/25/2018 09:07:00 and thats wrong.

Any ideas why it is containts this value? I need the date of the expiring.
If it could be formated nicely, that would be great!

Thanks four your answer!

Hi Robert P

This script is fantastic! Thanks for taking your time to share it. I have it working in my environment except for the reportTo. Mail to users are flowing fine, but I never get the report.

This is the command I'm using to run the script:
PwdChgNotify_Users.ps1 -smtpServer 192.168.100.28 -expireInDays 21 -from "Help Desk <DoNotReply@mydomain.com>" -reportTo me@mydomain.com -interval 1,2,3,4,5,10,15,20

Any help would be appreciated!
Robert M

Once I added -Logging -LogPath "c:\logFiles" to my command, it works. 

Thanks again for all your effort in making this public!!!

Hi
what are the minimum admin rights required to run this script
does it require domain admin rights 
thanks

The account running the script needs the ability to read user properties on the OU your users reside in.

It does not require any admin rights, you may want to add it to the backup operators group on the machine the script runs on, to allow it to logon as a batch job.

Hello, I am not very clear the function of the-report, I could explain, as I have understood according to the script sends to the account of the-reportto CSV file attached.

{ 
        $reportSubject = "Password Expiry Report" 
        $reportBody = "Password Expiry Report Attached" 
        try{ 
            Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop  
        } 
        catch{ 
            $errorMessage = $_.Exception.Message 
            Write-Output $errorMessage 
        } 
    } 

First of all - thanks for providing this script. Without it I doubt I would be able to produce anything functional for this need.

That being said we have an AD environment with multiple OU's for different entities. Each of those entities have different support details and logos. One solutions is to have unique scripts to run for each entity and just update the $user query to pull based on a specific search base then just statically assign the unique variables in each script. Have that bit figured out already, and it works, but then we have to manage multiple scripts and what's the fun in that.

I am curious how I could go about have the notification section start for each user by evaluating an if ($distinguishedname -like "*xxxxxxxxxxxxx" {$image=xxx $supportnumber=xxxx etc} elseif so on and so forth, then pass the right variables into the creation of the message.

I will admit the whole technet gallery bit is new to me, and I'm not sure of an efficient way to search through the Q and A to see if this has been address already (other than scrolling page by page).

Any help in either finding where this is already addressed, or in architecting a solution is greatly appreciated. 

Ben

I dont think there are many questions like this - there are some on targeting OUs but not on changing variables based on OU. I think you are along the right lines with your current thinking.

Good morning I have running script with testing option, immeditely answer on the shell how may users have password expiring in 14 days but it still in this windows no answer no logs no email
Thanks in advance
Davide

Sorry only take a time, after 20 minutes i have answer...I was thinking take a little bit time. Sorry

Hi Robert,

I tested the script below in Powershell ISE, it seems to run correctly and send notification.

c:\temp\PasswordChangeNotification.ps1 -smtpServer x.x.x.x -expireInDays 13 -from 'IT Support <test@xxx.com>' -Logging -LogPath 'c:\temp\logs' -reportTo test@xxx.com -interval 1,3,5,7,8,9 -testing -testRecipient test@xxx.com -status

However, when I put this in schedule task with the action below, it doesn't send notification, the "PasswordSet" and "ExpiresOn" show exact same date and time, then "DaysToExpire" show negative.


powershell.exe -command "c:\temp\PasswordChangeNotification.ps1 -smtpServer x.x.x.x -expireInDays 13 -from 'IT Support <test@xxx.com>' -Logging -LogPath 'c:\temp\logs' -reportTo test@xxx.com -interval 1,3,5,7,8,9 -testing -testRecipient test@xxx.com -status"

For testing, instead of reading the day from policy, I hard coded the Default Max.Age to 10 days.  I have couple test users that their "PasswordSet" date on 5 sept and 7 sept 2018.  

The condition are exactly the same, any reasons why the results are so different?

Patrick

any suggestion?

Nope sorry that makes no sense to me.

Hi Robert, I found an incorrect line of code that I modified, so now the script fixed and working well.

I am trying to get the report (only the report) to send to 2 email addresses, so I tried -reportTo 'test@xxx.com;test2@xxx.com', but it didn't even send the report.  

If I need to use CC, will it send the notification email as well?  Anyway I am not sure how to put in this CC as parameter for sending report.

Could you please help?

How can i ask the user to enter their credentials in the script for a third party email service - such as Sendgrid ?

You can use the Get-Credential cmdlet.

Where exactly to use ? And anything in the argument when scheduling a task ? 

You can use this method when scheduling the script.

https://www.youtube.com/watch?v=_-JHzG_LNvw

Hi Robert,

Script looks great, I haven't used it as of yet but plan to. I was wondering if there is a way of adding a single email address that all password notifications get copied into. Without having to add it to Active Directory

We just want a copy off all the password reset emails that get sent out to the users so we can forward it on to them if they say they never received the email. We want to use this alongside the reportto function.

Thanks

You can use the report function, or you can add a -cc to the send-mailmessage line 246 or 268 etc.

Hi Robert,

Thanks for this. I am having trouble with the script. It runs fine but will not send emails. It has this error (the error is in the log file only): 
"The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM [VI1PR0401CA0014.eurprd04.prod.outlook.com]"

I have followed your SMTP credential guide and checked it and re followed the steps multiple times, just incase, and cannot figure out why it is not working. The email I am sending from is mine and I have full email and admin rights on our SMTP server (Office365)

Any Ideas?

Have you tried creating a client connector in 365 which allow unauthenticated smtp? Just for testing.

Hi Robert,

Just an update. I changed the smtp server to our MX record and it worked fine. I was originally using smtp.office365.com I did have to add the email sending out as the safe sender as it was putting all of the reminders into junk.

Thanks

there is anyway to activate the script only for specific user?

Thank You

Gil