Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

4.6 Star
80,343 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • 2 domains, one email server.
    7 Posts | Last post July 11, 2019
    • Robert
      I have been using your script for a few years and it works great.  We recently added a new firm utilizing much of our IT infrastructure.  We have setup a domain trust between Domain A and Domain B.   Domain A is the one I have been using for a while with no issue.   I have setup the same script with the same switches to run on Domain B using the Same SMTP server by IP address.   When I run the script on Domain B I see the log is generated for the correct users within Domain B.  However, IF a password is set to expire within the "SendEmail" window I am receiving the following error.   "Unable to read data from the transport connection: net_io_connectionclosed"  I am also not receiving the email report.   Any advice from anyone would be greatly appreciated. 
    • Side note we are using Linked mailboxes for Domain B on the Exchange Server.
    • Where in DomainB is the script running and does it have permission to connect to the SMTP server?
    • Robert
      I have the script running directly on the DC of domain B.  It should have permission to the SMTP server as it is serving Domain B users regular email.   
      Here is what happens when I try to run just the Send-Mail command directly on the server that is running the script.   I am using the IP address of the SMTP server
      Send-Mailmessage -smtpServer x.x.x.x -from -to -subject HardTest -body blahahahaha -bodyasHTML -priority High | Add-Member -MemberType NoteProperty -Name SendMail -Value "OK"
      Send-Mailmessage : Unable to read data from the transport connection: net_io_connectionclosed.
      At line:1 char:1
      + Send-Mailmessage -smtpServer x.x.x.x -from ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
          + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
    • Do you have any logs from the smtp server?
    • I do and it states account not found, but gMSA's can not have email boxes. 
      Any suggestions?
      ,"220 ExchangeServer.Domain.local Microsoft ESMTP MAIL Service ready at Tue, 9 Jul 2019 10:16:57 -0400",
      ,EHLO ClientServerName,
      ,AUTH ntlm,
      ,334 <authentication response>,
      ,Could not find user Domain\gMSA-01$
      ,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful. User not found',
      ,221 2.0.0 Service closing transmission channel,
      ,535 5.7.3 Authentication unsuccessful. User not found,
    • In that case you may need to provide credentials of an account authorised to relay email. Running the script as the gMSA should be fine, the smtp credentials can be for a different account.
  • gMSA Accounts generating Error
    2 Posts | Last post July 09, 2019
    • We have been using this PowerShell script for about a year now and it has been working with standard AD user account. Recently we have started to switch over to using gMSA (group Managed Service Accounts). It is running on a windows server 2012 R2 system and executed by a scheduled task daily. All on prem. 
      I import the gMSA into the scheduled task that runs this script and the script does runs from the point of view of the Task Scheduler, and the PowerShell script executes. I can see the powershell.exe running under the name of the gMSA in the task manager. However, the script reports back into the scripts log file "Unable to read data from the transport connection: net_io_connectionclosed.", and the users do not receive the email notification. The script is going out to AD and getting the names needed. Then it steps through the email process and I believe that the failure is coming from the MSA not able to communicate to exchange to send the email. I have added the MSA to the local secpol > “Log on as a batch job”. I also temporarily added the MSA to the local Administrators Group with no positive effect, so I removed it from Admin group. I also tried to add the –credentials property to the Send-mailmessage command and tried to passed it my credentials, my Admin credentials and the old service accounts credentials, and none of them were causing a positive effect. They were causing a different error message in the scripts log "Cannot process argument transformation on parameter 'Credential'. Access is denied" All this to simply say, How do I get a managed service account to run a scheduled task that runs this PowerShell script to sends e-mail messages via internal 2016 exchange.
      Does it have to do with the fact that the gMSA can not have a mailbox?
      does the account need specific permission to function with an gMSA?
      Thank you for your help.
    • Do you have any logs from the smtp server?
  • I wonder recipient is still test recipient.
    1 Posts | Last post July 03, 2019
    • Hi Robert,
      Thanks for the script it helps a lot for me!
      But I wonder I did set $testing = "Disabled" and $testRecipient = "<MY emailaddress>"
      I run script and it isnt going to send to $emailaddress<the user's email address> 
      even though user account has email address..
      I'm the only one can receive report and notification email.
      Did I make wrong?
      I only  add or change value as belows:
      # Set Output Formatting - Padding characters
      $padVal = "90"
      $smtpServer = ""
      $expireInDays = "90"
      $from = "<EMAIL>"
      $logging = "Enabled"
      $logPath = "D:\PasswordExpirationNoti"
      $testing = "Disabled"
      $testRecipient = "<MYEMAIL>"
      $reportto = "<MYEMAIL>"
      $interval = 1,2,5,10
  • Cannot process argument transformation on parameter 'logging'
    1 Posts | Last post June 24, 2019
    • Hi Robert,
      First of all thanks for the script is exactly what I was looking for,
      I'm having an issue that maybe you can help me,
      Whenever I run the script after I adjust to my company details I get this msg:
      C:\Scripts\PasswordChangeNotification.ps1 : Cannot process argument transformation on parameter 'logging'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and 
      numbers, such as $True, $False, 1 or 0.
          + CategoryInfo          : InvalidData: (:) [PasswordChangeNotification.ps1], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,PasswordChangeNotification.ps1
      Any idea what the issue can be?
  • Task scheduler script running issue
    2 Posts | Last post June 12, 2019
    • Hi Robert thanks for a great script ,appreciate the work involved in setting it up.
      I have an issue running the script in task scheduler. It works fine through powershell. When I run it in task scheduler it appears to run successfully, result (0x0), but it does not create a new log file or appear to send any email.
      Here are the parameters
      -ExecutionPolicy Bypass -File c:\gosys\passwordchangenotificationnew.ps1 -smtpServer -from "IT Support <>" -expireInDays 15 -logging -logPath 'C:\GoSys' -interval 14,7,3,2,1
    • Use -command instead of -file.
  • error while running the script to connect to AD
    6 Posts | Last post June 10, 2019
    • get-aduser : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:132 char:10
      + $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverE ...
      +          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADUser
      Found 0 User Objects
      Get-ADDefaultDomainPasswordPolicy : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:137 char:27
      + ... swordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxP ...
      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (BIZWESTAD:ADDefaultDomainPasswordPolicy) [Get-ADDefaultDomainPassw
         ordPolicy], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADDefaultDom
    • Sounds like you have an older domain, maybe 2008?
      You need AD Web Services in able to use PowerShell AD Cmdlets.
    • Hi Robert 
      Thanks for the reply , We are using active directory on windows 2016 .
      also  ADW service was not running , i started it .
      but still its not working .
      when i try to execute the command from powershell it returns below error 
      PS C:\Users\administrator.BIZWESTAD> Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'Inacti
      Get-ADUser : Server instance not found on the given port.
      At line:1 char:1
      + Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   - ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
          + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
    • You need to refine your Get-ADuser query so that it returns results.
    • Hi Robert 
      can you give me some more clarity ?
    • The script relies on results from Get-AdUser.
      If your get-aduser command produces an error, or no results then the script has no data to work with.
      Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'InactiveClientData_SQL:636'
      So your command is generating an error from the -server parameter.
      Is this actually your server address? 'InactiveClientData_SQL:636' 
      What if you omit that parameter, does it return results?
  • Searching only specific group users
    2 Posts | Last post June 06, 2019
    • Anyway to filter this to only look at accounts in a specific group rather than the whole domain?
    • Yes, easy.
      This was made for the earlier version, but the method still works.
  • task scheduler
    2 Posts | Last post June 06, 2019
    • Great script  - 
      it runs fine within powershell 
      however its doenst run when i put it into task scheduler
      this is the command im entering 
      -Command "d:/scripts/PasswordChangeNotification.ps1 -smtpServer nhex03 -expireInDays 21 -from 'IT Support<' -reportTo -status -interval 1,2,5,7,15"
    • d:/scripts/PasswordChangeNotification.ps1
  • subject line "."
    2 Posts | Last post May 23, 2019
    • I get a . on the subject line of the email, not sure how to get rid of it . any help or pointers as to how to get the period off the subject line . 
    • just a "." or is that included in the subject?
      what is $subject set to?
      on the send-mailmessage line, what is -subject set to?
  • Not sending email
    2 Posts | Last post May 23, 2019
    • Great script. Log File is showing Sendmail = Ok, but there is no email send when using the -interval option.
      Powershell.exe -Command C:\Path\PasswordChangeNotification.ps1 -smtpServer -expireInDays 28 -from "" -Logging -LogPath "C:\path\LogFiles" -testing -testRecipient -interval "0,1,7,14,28"
    • dont put the interval inside quotes.
21 - 30 of 534 Items