Password Expiry Email Notification

Hello,

I've been using this great script for over a year - once again, great work. I have an OU that i'd like to exclude from the script. Is it possible to do this instead of specifying multiple OUs in the -searchbase?

Excluding a single OU is possibly, if a little convoluted.

If you add CanonicalName to the -properties section of Get-AdUser, this will collect everyones CanonicalName, which, if you did not know, is the path to the user object in AD. (we could also use a distinguishedname)

now, somewhere near the top lets say line 139 add in,

$excludeOU = @("mydomain.domain.com/OU/OU/")

where that is the path to the OU you want to exclude, leave the trailing "/".

At line 178 we then need to add in a bit of script to collect the users OU and add it to the $userObj.

$userCanon = $user.CanonicalName.Replace($user.Name,"")

then line 184

if(($excludeOU) -contains $userCanon)
{
# Skip User
}
else
{
$colUsers += $userObj
}


I have not tested this, and this won't do anything like log the exclusions, or even output anything to the colsole, but it should be enough to skip an OU.

Hello,

Script has been running perfect for over a year. I have it running via a task scheduler and recently it stopped working due to the scheduler running off an account that had the password expire.

 I have the scheduler working again, but now the script won't send emails to users. Though the testing attribute does work and it sends email to me that way.

So it seems to work in all aspects except sending the emails. I also confirmed there are no emails being sent out and blocked or sent to junk mail.

Would anyone be able to help? Much appreciated! 

Does the account sending email need authentication? Did you update the credential for that account?

Hi,

Thanks for this script ! 

I have something wrong using it : All my user are logged as "Skipped - Interval" even if they are in the good interval ! This is my CMD : 

Powershell.exe -executionpolicy remotesigned -File C:\Scripts\PasswordChangeNotification.ps1 -smtpServer mail.blablabla.fr -expireInDays 10 -from "Support <support@blablabla.com>" -interval 1,2,3,10 -Logging -LogPath "c:\scripts\logs" -testing -testRecipient bla@blablabla.com

And a log : 

"in 10 days.","blabla","BLA bla","blabla@blabla.com","13/08/2018 09:36:11","10","12/10/2018 09:36:11","Skipped - Interval"
"in 3 days.","blabla","BLA bla","blabla@blabla.com","06/08/2018 12:01:45","3","05/10/2018 12:01:45","Skipped - Interval"


Thanks a lot ! 

Instead of -file, use -command

Hi Robert, 
when i use - command , will get the result (0X1)
if i use -file, same case as AlfredIT , the log will show all email skipped.
Thanks,

Check out this video.
https://www.youtube.com/watch?v=3ia-cJbf5Ng

You need to put everything inside quotes after -command.

Command:
Powershell.exe

Arguments:
"-executionpolicy remotesigned -command C:\Scripts\PasswordChangeNotification.ps1 -smtpServer mail.blablabla.fr -expireInDays 10 -from 'Support <support@blablabla.com>' -interval 1,2,3,10 -Logging -LogPath "c:\scripts\logs" -testing -testRecipient bla@blablabla.com -interval 1,3,7,9"

Good day,
I am now having a problem to deploy on a task schedule, 
the arguments space have limitation, so i can't input all the parameter,

-NoProfile -ExecutionPolicy Unrestricted -File "D:\.\PwNotice.ps1 -smtpServer XXX.XXX.XXX.XXX -expireInDays 7 -from "IT Support <CGIPW_EXPIRY@XXXXXXXXXXXXXXXXX.com.hk>" -Logging -LogPath "D:\logFiles" -reportTo ITMAILMAIL@XXXXXXXXXXXXXX.com.hk -interval 1,2,3,5,7

Kindly help & let me know how to fix this problem? 

Thanks a lot.


 

Hi Robert,

I think it's a bit difficult to adjust the datetime format, so instead I'm just trying to add MM/DD/YYYY to the column name or description, so that the users can read the date properly.

I tried to modify with this line

$notifiedUsers | select UserName,Name,EmailAddress,PasswordSet,DaysToExpire,ExpiresOn | sort DaystoExpire | FT -autoSize

with for example renaming the "PasswordSet"

$notifiedUsers | select UserName,Name,EmailAddress,@{Name = "PwdSet-MM/DD/YYYY"; Expression = {$_.PasswordSet}},DaysToExpire,ExpiresOn | sort DaystoExpire | FT -autoSize

The script executed without problem, however it only updated the column number on-screen output, it hasn't rename the column header in the CSV file.

Am I change wrong place or wrong method?

Please kindly help.

The column header is set based on the object name.

So $daysToExpire is set on line 182. '-name DaysToExpire'.

PasswordSet is on line 181.

But, by changing these values you need to make sure they are not set elsewhere using the original names.

For example on line 191 where we reference $_.DaysToExpire this would need to match whatever you change the value on line 182 for.

Thank you Robert for your quick reply.

So instead of changing existing object name, is it possible if I create duplicate of these object with a different '-name', so that I can specifically used in the report and log view?

If so, where would I placed these 'names' for report and logs?

When i run this command :
(Get-ADUser -filter *).count 
I'm getting a different number of user compared to when i run your script. Why ?

Your command returns every user in the domain, my command filters the users to only include those with expiring passwords etc.

The users who's password are supposed to expire are not showing up.

I have the same issue.
when i test manually the command 
"$users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
# Count Users
$usersCount = ($users | Measure-Object).Count"
Write-Output "Found $usersCount User Objects"
The result is about 600 users, but when i run the script, they returns only 20 users. why ?

Without seeing a log or transcript of the powershell session, i can not say, except that usually this it is caused by Users not meeting the filtering requirements and being discarded from the results.

I run it manually , it works 
Setting : (Interval =1,2,3,5,8)
Refer to log file , some user expiry in 4 days,
then email will not send out,(Right?)
so, should i run this scipt on tomorrow again to success send the email to user? 
Thanks a lot

Hello Robert,

How can I config a schedule task with your script so that it will send report only for twice a  week?

As the administrator will only need to see the report twice a week, if I setup another schedule with the script at different schedule, the end user will get 2 copies of notification sometimes.

Please kindly help.

Off the top of my head...

Lets say you schedule the script to run on a Tuesday and Thursday.

Under the report section (Line 300 v2.9)

Inside the brackets if($reportTo) add, 

    if($reportTo)
    {
        if(($start.DayOfWeek) -eq "Thursday")
        {
            $reportSubject = "Password Expiry Report"
            $reportBody = "Password Expiry Report Attached"
            try{
                Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
            }
            catch{
                $errorMessage = $_.Exception.Message
                Write-Output $errorMessage
            }    
        }
    }

So the report would only send on a Thursday.

Thank you Robert, I will give this a try and let you know how I go.

Thanks Robert, this is working well.

Hi Robert,

If I run the scripts, and i put the $expiredOn variable on the email, it's contains the following: 12/25/2018 09:07:00 and thats wrong.

Any ideas why it is containts this value? I need the date of the expiring.
If it could be formated nicely, that would be great!

Thanks four your answer!

Hi Robert P

This script is fantastic! Thanks for taking your time to share it. I have it working in my environment except for the reportTo. Mail to users are flowing fine, but I never get the report.

This is the command I'm using to run the script:
PwdChgNotify_Users.ps1 -smtpServer 192.168.100.28 -expireInDays 21 -from "Help Desk <DoNotReply@mydomain.com>" -reportTo me@mydomain.com -interval 1,2,3,4,5,10,15,20

Any help would be appreciated!
Robert M

Once I added -Logging -LogPath "c:\logFiles" to my command, it works. 

Thanks again for all your effort in making this public!!!