Password Expiry Email Notification

I am very new to PS scripting so excuse the simple question.  How do I enter the values for smtpServer, expiry days, and From email in the script so it won't prompt every time it runs.

Tanks.

You dont write them in the script, you write them when you run the script..

EXAMPLE 
 PasswordChangeNotification.ps1 -smtpServer mail.domain.com -expireInDays 21 -from "IT Support <support@domain.com>" -reportTo myaddress@domain.com

Hi can someone help me understanding why my output looks like the below? 

UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail

Name, Name	Email@Email.dk   8/17/2019 14:00	-73	8/17/2019 14:00	OK

But look at the password set and DaysToExpire and ExpiresOn?? Something is wrong... I'm using the group solution and not users...

Oh, I can see our password policy says MaxPasswordAge              : 00:00:00... 

Could I change the script so it knows that our MaxPasswordAge is 90 days? or should I change the MaxPasswordAge on my domain?

First of, as you been told many times, its a awesome script you have created! :)

TLDR Question:
Is there a way to exclude a specific path without using "where"?

The Backstory:
We have a small subsidiary company in another country, but we have not divided up our AD based on country. That company uses a different mailbox for support cases and have requested to have the email in a different language.


The Issue:
So i am using two different scripts, One for "Language A" and one for "Language B".
In Script A i use -searchbase to tell the script to only run that specific path
"OU=SPECIFICPATH,OU=Company,DC=DOMAIN,DC=local"

But for Script B i would like to find a way not to use a double "where" as you can see below, as that will make the script run much slower. Script B have its searchbase set to: "OU=Company,DC=DOMAIN,DC=local"

| where { $_.passwordexpired -eq $false} | where {$_.DistinguishedName -notlike "$OUexclude"}

Excluding OUs is possible, but not straight forward.

I think it was asked previously.

One way is as you have described.

Another would be to add a check into the section that starts around line 146 
foreach ($user in $users)

Then what we would be doing is checking the users OU Path, either using their distinguishedName or CanonicalName (whichever you prefer) Canonical Name is probably easier, you could then add a value in the PSObject for their language to save you running two separate scripts, or just to use that value to exclude them.

Another way to do it would be to use a value in AD, that you are not already making use of, FaxNumber perhaps and filter them with Get-AdUser -filter {FaxNumber -ne en-gb } 

Hope that is of some use. 

Hi Robert,

Great script, been using it and it works perfectly.
I have a case where I need the script to send the email to a specific email address if the email address field in AD is empty. Probably an easy way to do this, could you help, please?

By default if AD does not have a valid emails address, it will send to $testRecipient.

In the script we have this line:
    # If a user has no email address listed
    if (($emailaddress) -eq $null)
    {
        $daystoexpire = "100"    
    }# End No Valid Email

Can I change this to:
if (($emailaddress) -eq $null)
{
$emailaddress = "email@company.com"
}

And it should work, yeah?

Sure.

Tested yesterday, got it to work. Thanks!

Hi Robert, what about expired passwords? I tried to set the expireInDays 0 and accounts were not listed

You need to review the get-aduser cmdlet, there is a 'where-object' applied which filters out expired passwords. 

Also expired passwords are likely to have a negative value for $expireInDays.

Hi Rob, I have tried that to no avail. It shows the Expire in Days: -200 but yet 0 users are processed. I know that the there are users who passwords are expired. 

okso try this,

get-aduser -filter * -properties passwordlastset,passwordexpired | select name, passwordlastset,passwordexpired

what do you get?

I'm looking to implement this script on our network, and am just doing some testing before rollout.
One quick thing. I'd like to change the format of the email contents so it starts with 'Dear <firstname>, rather than the current 'Dear <surname, firstname,>. I'd feel using the A/D attribute 'givenName' would be better, but can't seem to get that to work in your script.
Example, at the moment, the email looks like;

Dear Doe, John,

Thanks

Just add a line around 149,

$givenName = $user.GivenName

Then change Dear $name, to Dear $givenName,

I am able to send report to the mentioned email but not able to send email to test recipient or users directly
I am using below command
.\PasswordChangeNotification.ps1 -smtpServer "mail.xyz.com" -expireInDays 21 -from "Windows.admin@xyz.com" -Logging -LogPath "C:\PasswordLogs" -reportTo "shweta@xyz.com"

The report which is generated shoes Skipped-interval in send mail tab against each user whos password is getting expired

Can send the log and script to https://windowsserveressentials.com/support

I had the same issue using the the following syntax:

-smtpServer smtphost.ourdomain.example -expireInDays 21 -from "Someuser AD<noreply@ourdomain.example>" -Logging -LogPath "c:\temp\pwdreminder" -reportTo myself@ourdomain.example -interval 0,1,2,5,10,15

Adding -status at the end of the parameter list seems to have gotten over the issue. I have not looked at the code to see why that would be, but it seems to do the trick.

-smtpServer smtphost.ourdomain.example -expireInDays 21 -from "Someuser AD<noreply@ourdomain.example>" -Logging -LogPath "c:\temp\pwdreminder" -reportTo myself@ourdomain.example -interval 0,1,2,5,10,15 -status

Disregard my previous statement - adding status to the command line did not help. 

The problem was caused by running the script with the "-file" method than "-command". When using the "-file" method the -interval paramenter is corrupted/ignored if using more than one interaval.

So the command for the scheduled task should be something along the line of: 

powershell.exe -command "C:\scripts\PasswordChangeNotification.ps1 -smtpServer mail.example.com -expireInDays 21 -from 'Password Notify<noreply@example.com>' -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status"

and not: 

powershell -file "C:\scripts\PasswordChangeNotification.ps1" -smtpServer mail.example.com -expireInDays 21 -from "Password Notify<noreply@example.com>" -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status

Pay attention to how you enclose the command with quotes, as the entire text following -command should be qouted with doubleqouetes, and any parameter inside with spaces shoud use single quotes.

See this video for details: https://www.youtube.com/watch?v=xbzxWOarVuk

Solution to T Nilsen works. Tested and confirmed ok. Thanks T Nilsen!

powershell -file "C:\scripts\PasswordChangeNotification.ps1" -smtpServer mail.example.com -expireInDays 21 -from "Password Notify<noreply@example.com>" -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status

Pay attention to how you enclose the command with quotes, as the entire text following -command should be qouted with doubleqouetes, and any parameter inside with spaces shoud use single quotes.

Correction:
powershell.exe -command "C:\scripts\PasswordChangeNotification.ps1 -smtpServer mail.example.com -expireInDays 21 -from 'Password Notify<noreply@example.com>' -Logging -LogPath c:\temp\pwdreminder -reportTo admin@example.com -interval 1,2,5,10,15 -status"

Yes, in fact i have never suggested using -file, and the videos i have made on scheduling all use -command.

Hi Robert,
I have a question.
the prompt request  window of user credential when run powershell,prompt 12 time same the users count. 
thank you.

is that when it is trying to send an email?

Hi,

I've been using this script some months now but on 04/07/2019 it stopped working.

Error:
The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM [AM0PR04CA
0023.eurprd04.prod.outlook.com]

This is the scheduled task:
C:\Scripts\PasswordChangeNotification.ps1 -smtpServer smtp.office365.com -expireInDays 7 -from 'IT Services <itservices@xx.xxx>' -Logging -LogPath 'C:\Scripts\Logs'-reportTo itservices@xx.xxx -interval 7,5,3,1

* Scheduled task runs on Windows Server 2012R2 (Domain controller)
* Email service: Office365 (Cloud)

Any idea why it stopped working?
I've searched Q&A but didn't found a solution.

You may need to review smtp ceredentials, tls, and the port number for office 365.

Robert, you script has been working great for my organization, but the TLS SMTP Authentication it uses is one be deprecated by Microsoft - https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Investigating-TLS-usage-for-SMTP-in-Exchange-Online/ba-p/609278

Any tips/hints on a work around for this or an update to the script so that it will use TLS 1.2?

Please see below Q&A there is some guidance.

Found it. Thanks.