Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days. I have now moved it to GitHub -

4.6 Star
89,028 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • We have a Service Acocunts OU I would like to exclude
    2 Posts | Last post August 10, 2018
    • Can you explain where and how I can add logic to filter out one OU but include everything else?
      Thanks for this script, huge help
    • Couple of ways i can think to do this..
      $skipOU = "*"
      $users = get-aduser -filter * -properties xyz | where { $_.CanonicalName -notlike $skipOU }
      You could do two queries, one with a -searchbase of the OU you want to skip, and store those users in an array, then compare the users in that to the users in $users and skip any matching ones.
      I can't see a way to prefilter using the -filter {} option.
  • Script not working
    2 Posts | Last post August 07, 2018
    • Hi,
      I rand the password Expiry Email notification just as is and it runs without errors, but users are not getting the emails. Any suggestions? Can you provide the exact number lines on the parameters that need to be changed?
    • You don't need to edit the lines, you just specify the values you need to each parameter.
      .\PasswordChangeNotification.ps1 -smtpserver mysmtpserver -expireinDays 21 -from etc etc
  • Skipped when running from Task Scheduler
    4 Posts | Last post August 06, 2018
    • Great piece of code. However, I can run manually. If I run from a task scheduler, no emails are sent, and the log says "Skipped-Interval" on every user. My arguments are -smtpServer mail..x.x -expireInDays 10 -from "X IT Support <>" -Logging -LogPath "d:\pwexp" -interval 1,2,3,4,5,10
      Any ideas? Like I said, same arguments in task scheduler as manually running it. Driving me bonkers.
    • Correction, "parameters". It seems like the parameters aren't passed on when running from a cmd or directly in the task scheduler. I'll do some digging,most likely I'm doing something wrong. If I find it, I will post out here.
    • For whatever reason, the parameter "-interval" wasn't being picked up when running from a cmd or task scheduler. I took it out of the param section and set $interval a bit below that. Still want to figure out why that parameter wasn't being picked up, but this work around did it for me.
      I love the script though. A+++
    • What syntax are you using in the task scheduler or cmd? I know some people have used something like powershell -file myscript <parameters> and that has not worked but powershell -command myscript <parameters> has worked.
  • Hello Robert
    4 Posts | Last post July 31, 2018
    • How can I apply this script on a specific OU, not on the entire directory? thank you very much!
    • you can use the option -searchBase {OU=xxxxx,DC=microsoft,DC=com} to the line 100 :
      $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false } 
    • Thank you Mawelou, I will test that
    • @Marco, if never you would apply it to a secific AD group, we just ad get-ADGroupMember at the beginning of the line and it works very well.
      $users = Get-ADGroupMember 'YOURADGROUP' | 
               get-aduser -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | 
               where { ($_.passwordexpired) -eq $false -and ($_.enabled -eq $true)} 
  • Errors on PS
    5 Posts | Last post July 31, 2018
    • Hello Robert, I receive the following error on a 2012R domain controller. would you happen to have any ideas on what I could try? your assistance is much appreciated!
      PS C:\Scripts\PasswordNotification> .\PasswordChangeNotification.ps1
      At C:\Scripts\PasswordNotification\PasswordChangeNotification.ps1:193 char:52
      +     $samLabel = $samAccountName.PadRight($padVal," ")
      +                                                    ~~
      Unexpected token '")
                  $daysToExpire = [int]$user.DaysToExpire
                  if(($interval) -Contains($daysToExpire))
                          Write-Output "' in expression or statement.
      At C:\Scripts\PasswordNotification\PasswordChangeNotification.ps1:203 char:35
      +                     Write-Output "Sending Email : $samLabel : $emailAddress"
      +                                   ~~~~~~~
      Unexpected token 'Sending' in expression or statement.
      At C:\Scripts\PasswordNotification\PasswordChangeNotification.ps1:273 char:39
      + Write-Output "Script Runtime: $runtime"
      +                                       ~
      The string is missing the terminator: ".
      At C:\Scripts\PasswordNotification\PasswordChangeNotification.ps1:160 char:1
      + {
      + ~
      Missing closing '}' in statement block.
          + CategoryInfo          : ParserError: (:) [], ParseException
          + FullyQualifiedErrorId : UnexpectedToken
      PS C:\Scripts\PasswordNotification>
    • Did you make any changes to the downloaded version?
    • I did not, it is exactly how I downloaded from this site. Also, I attempted to run this script on another server and seem to go through fine.
      This is from the server I'm having issues:
      PS C:\Scripts\PasswordNotification> $psversiontable.psversion
      Major  Minor  Build  Revision
      -----  -----  -----  --------
      5      1      14409  1012
      Windows Server 2012 R2 version 6.3
      I recently updated powershell on this server and rebooted but received the same error.
    • What syntax are you using to run the script?
    • PS C:\Scripts\PasswordNotification> .\PasswordChangeNotification.ps1
      I saw that at the beginning of your error ? Did u follow the example of Robert provide ?
        PasswordChangeNotification.ps1 -smtpServer -expireInDays 21 -from "IT Support <>" -Logging -LogPath "c:\logFiles" -testing -testRecipient 
        PasswordChangeNotification.ps1 -smtpServer -expireInDays 21 -from "IT Support <>" -reportTo -interval 1,2,5,10,15 
  • Change on script got error
    3 Posts | Last post July 31, 2018
    • Hello Robert, many thanks for your script. I made some change to use it on specific AD group (people who are not using windows to get email for change password). I made some change at the line 100 
      $users = Get-ADGroupMember 'MYADGROUP' | 
               get-aduser -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | 
               where { ($_.passwordexpired) -eq $false -and ($_.enabled -eq $true)
      But when i execute the script with this command : C:\passwordexpire.ps1 -smtpServer 30 -from "IT Support <>" -status -reportto
      i got an error in the execution and the report never came but the email alert is send :
      Script Loaded
      *** Settings Summary ***
      SMTP Server          : smtp.pouetpouet.lan
      Expire in Days       : 30
      From                 : IT Support <>
      Logging              : False
      Log Path             : 
      Testing              : False
      Test Recipient       : 
      Report Recipient     :
      Intervals            : 
      Found 8 User Objects
      Domain Default Password Age: 78162
      Process User Objects
      8 Users processed
      2 Users with expiring passwords within 30 Days
      Sending Email : expired              :
      Sending Email : misterbean           : 
      Cannot validate argument on parameter 'To'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
      UserName   Name        EmailAddress                 PasswordSet           DaysToExpire ExpiresOn            
      --------   ----        ------------                 -----------           ------------ ---------            
      misterbean Mister Bean                              10/19/1982 3:53:29 PM         -184 1/17/2018 3:53:29 PM 
      expired    expired   5/14/1774  10:16:47 AM          23 8/12/2018 10:16:47 AM
      Script Runtime: 00:00:00.6390607
    • The error shown above is because the user misterbean has no email address set in AD.
      The report not coming is a separate issue, try running again using logging. Check the junk mail/smtp server for issues with the report not arriving.
    • Hello Robert,
      No problem i relaunch the script and it works now even sending the report. So don't know what's wrong with it.
  • Script stopped working for our Server 2016
    4 Posts | Last post July 26, 2018
    • Hey there,
      Currently our script running on Windows Server 2016 isn't working. We have a log that shows up if the user account meets the criteria to be sent an email and every time I see a user with "Yes" that person doesn't get the email. I changed the expiring days from 21 to 50 to get more users in the pool but that hasn't helped. I also changed the From email address to a user that has an E1 Office 365 license and then ran the scheduled task manually. I also tried enabling testing and have the emails go to me directly and that hasn't helped. What else can I look into? Would pasting some code in help?
    • Quick update. I changed the from address again, disabled the testing, and re-ran the task. Users who are supposed to be getting these emails are now getting them except that 4 of these users had their emails sent to me instead of themselves. Can you help troubleshoot with that?
    • Do those 4 users have email addresses defined in AD?
    • Ok, this can be closed. Our issue ended up being that some of the employees email addresses never showed up in the AD General tab. I had to add them and then re-run the task and we were good.
  • Service not available; 4.3.2
    3 Posts | Last post July 16, 2018
    • I have set up a job to run this script and there are days where it runs fine.  However, there are days where I get the following error:  Service not available, closing transmission channel. The server response was: 4.3.2 Service not available.   Any clue what might be causing this error?
    • That sounds like your SMTP (or Exchange) server not responding. 
    • Yep, thats an issue on the SMTP side, for Exchange that error i think relates to lack of disk space.
  • Set to Test
    3 Posts | Last post July 12, 2018
    • Hi.   
      I'm using Version 2.7 November 2017
      I can't seem to enable the TESTING and therefore everytime I test, it goes to all affected users.  Can you tell me the line of code I need to update please.
    • This command runs the script with testing enabled.
      PasswordChangeNotification.ps1 -smtpServer -expireInDays 21 -from "IT Support <>" -Logging -LogPath "c:\logFiles" -testing -testRecipient
      This command runs the script with testing disabled.
      PasswordChangeNotification.ps1 -smtpServer -expireInDays 21 -from "IT Support <>" -Logging -LogPath "c:\logFiles"
    • Thank you.
  • Inclusion of manager in communications
    4 Posts | Last post July 05, 2018
    • Any ways to expand this for the inclusion of the manager? I have tried to follow some untested code that you nicely published a few months back in response to someone else for this function but cannot for the life of me get it working.
      Our manager information is stored within Active Directory, we would like to have the manager included as a CC once the time to expire gets below a specific threshhold of days. Eg, it notifies the person up until 5 days and then begins notifying the manager in addition to the user.
      Just trying to get it to send an email to a manager I have tried:
      -added Manager to Line 100 eg: properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress, Manager
      -Set a variable for notifications eg: $notifyManager = 5
      -Added If for emailing to the manager eg 
      if(($daysToExpire) -le $notifyManager)
      $manager = get-aduser $user.Manager -properties EmailAddress
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $manager.EmailAddress -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
      The user has 3 days left on their password but no email is ever received by the manager. The original question was submitted by Bejje on February 19th.
      Really appreciate any help you can offer here and thank you so much for providing the script as is - its has proven very helpful! 
    • oK, so you have
      $notifyManager = 5
      if(($daysToExpire) -le $notifyManager)
      $manager = get-aduser $user.Manager -properties EmailAddress
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $manager.EmailAddress -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
      What you have here looks ok.
      So i would add in some additional code to test it out.
      if(($daysToExpire) -le $notifyManager)
      $manager = get-aduser $user.Manager -properties EmailAddress
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $manager.EmailAddress -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
    • Unfortunately still no luck on getting this one to work.  It runs through without any errors - but nothing is ever sent to the manager.
      I have tried to remove the If statement just to have it trigger but also cannot have this work with an error of "Cannot add a member with the name "SendMail" because a member with that name already exists."
      I was wondering if it was not grabbing the full email address so had tried:
      $notifyManager = 5
         if(($daysToExpire) -le $notifyManage)
      		$manager = get-aduser $user.Manager
      		get-aduser -filter * -property mail | Where {$_.distinguishedname -eq $Manager} | Select mail
      		Send-Mailmessage -smtpServer $smtpServer -from $from -to $manager.EmailAddress -subject $Subject -body $body -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop
      Still no email, same errors.
      I am not very strong with Powershell (which I am sure is abundantly obvious...) so I am sure it is something being missed my side.
      Any further help with this would be such a fantastic help!
    • Drop me a line,
121 - 130 of 542 Items