Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days. I have now moved it to GitHub -

4.6 Star
94,210 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • I wonder recipient is still test recipient.
    1 Posts | Last post July 03, 2019
    • Hi Robert,
      Thanks for the script it helps a lot for me!
      But I wonder I did set $testing = "Disabled" and $testRecipient = "<MY emailaddress>"
      I run script and it isnt going to send to $emailaddress<the user's email address> 
      even though user account has email address..
      I'm the only one can receive report and notification email.
      Did I make wrong?
      I only  add or change value as belows:
      # Set Output Formatting - Padding characters
      $padVal = "90"
      $smtpServer = ""
      $expireInDays = "90"
      $from = "<EMAIL>"
      $logging = "Enabled"
      $logPath = "D:\PasswordExpirationNoti"
      $testing = "Disabled"
      $testRecipient = "<MYEMAIL>"
      $reportto = "<MYEMAIL>"
      $interval = 1,2,5,10
  • Cannot process argument transformation on parameter 'logging'
    1 Posts | Last post June 24, 2019
    • Hi Robert,
      First of all thanks for the script is exactly what I was looking for,
      I'm having an issue that maybe you can help me,
      Whenever I run the script after I adjust to my company details I get this msg:
      C:\Scripts\PasswordChangeNotification.ps1 : Cannot process argument transformation on parameter 'logging'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and 
      numbers, such as $True, $False, 1 or 0.
          + CategoryInfo          : InvalidData: (:) [PasswordChangeNotification.ps1], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,PasswordChangeNotification.ps1
      Any idea what the issue can be?
  • Task scheduler script running issue
    2 Posts | Last post June 12, 2019
    • Hi Robert thanks for a great script ,appreciate the work involved in setting it up.
      I have an issue running the script in task scheduler. It works fine through powershell. When I run it in task scheduler it appears to run successfully, result (0x0), but it does not create a new log file or appear to send any email.
      Here are the parameters
      -ExecutionPolicy Bypass -File c:\gosys\passwordchangenotificationnew.ps1 -smtpServer -from "IT Support <>" -expireInDays 15 -logging -logPath 'C:\GoSys' -interval 14,7,3,2,1
    • Use -command instead of -file.
  • error while running the script to connect to AD
    6 Posts | Last post June 10, 2019
    • get-aduser : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:132 char:10
      + $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverE ...
      +          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADUser
      Found 0 User Objects
      Get-ADDefaultDomainPasswordPolicy : Unable to find a default server with Active Directory Web Services running.
      At E:\python-script\PasswordChangeNotification.ps1:137 char:27
      + ... swordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxP ...
      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ResourceUnavailable: (BIZWESTAD:ADDefaultDomainPasswordPolicy) [Get-ADDefaultDomainPassw
         ordPolicy], ADServerDownException
          + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADDefaultDom
    • Sounds like you have an older domain, maybe 2008?
      You need AD Web Services in able to use PowerShell AD Cmdlets.
    • Hi Robert 
      Thanks for the reply , We are using active directory on windows 2016 .
      also  ADW service was not running , i started it .
      but still its not working .
      when i try to execute the command from powershell it returns below error 
      PS C:\Users\administrator.BIZWESTAD> Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'Inacti
      Get-ADUser : Server instance not found on the given port.
      At line:1 char:1
      + Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   - ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
          + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
    • You need to refine your Get-ADuser query so that it returns results.
    • Hi Robert 
      can you give me some more clarity ?
    • The script relies on results from Get-AdUser.
      If your get-aduser command produces an error, or no results then the script has no data to work with.
      Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'InactiveClientData_SQL:636'
      So your command is generating an error from the -server parameter.
      Is this actually your server address? 'InactiveClientData_SQL:636' 
      What if you omit that parameter, does it return results?
  • Searching only specific group users
    2 Posts | Last post June 06, 2019
    • Anyway to filter this to only look at accounts in a specific group rather than the whole domain?
    • Yes, easy.
      This was made for the earlier version, but the method still works.
  • task scheduler
    2 Posts | Last post June 06, 2019
    • Great script  - 
      it runs fine within powershell 
      however its doenst run when i put it into task scheduler
      this is the command im entering 
      -Command "d:/scripts/PasswordChangeNotification.ps1 -smtpServer nhex03 -expireInDays 21 -from 'IT Support<' -reportTo -status -interval 1,2,5,7,15"
    • d:/scripts/PasswordChangeNotification.ps1
  • subject line "."
    2 Posts | Last post May 23, 2019
    • I get a . on the subject line of the email, not sure how to get rid of it . any help or pointers as to how to get the period off the subject line . 
    • just a "." or is that included in the subject?
      what is $subject set to?
      on the send-mailmessage line, what is -subject set to?
  • Not sending email
    2 Posts | Last post May 23, 2019
    • Great script. Log File is showing Sendmail = Ok, but there is no email send when using the -interval option.
      Powershell.exe -Command C:\Path\PasswordChangeNotification.ps1 -smtpServer -expireInDays 28 -from "" -Logging -LogPath "C:\path\LogFiles" -testing -testRecipient -interval "0,1,7,14,28"
    • dont put the interval inside quotes.
  • Multiple email domains, one AD domain
    7 Posts | Last post May 21, 2019
    • Great script, been using it for several months now and the amount of requests from users who are locked out because they didn't change their password in time has decreased. However, I just noticed that some folks aren't getting the notification because their email domain is not the same as the primary domain. My AD domain is User log-in accounts are, or a subsidiary company I happen to have for my email address. I received the pop-up to change my password as it was expiring in the taskbar, so I do get Windows alerts. I did not notice my address in the daily password report I run, and I also noticed no other users with addresses have appeared. I think they did at one time, and so maybe it's an O365 change, as I didn't make a change in your script. Would there be some reason why your script only sends to email addresses? The account I use to send the alerts to users and the daily report is The only time an email wasn't sent out was when the email field of the user account was blank. Any way to make sure all users, even the ones, which I know will fail, will get an email? The accounts are admin accounts, and I can email those user's regular account to let them know to change the admin account password. Thanks again for the great script.
    • It will attempt to send the message to whatever $emailAddress is set as. The log should tell you what address the notification was sent to, or attempted to be sent to.
      It is possible if the domain is external it wont allow you to relay emails, and you will need to use authentication.
    • Log doesn't show attempts to send to any of the domains - they are still internal, just another domain on the DC. Users with the domain are mixed in the same OU, so it's not having to check a specific one.
      Is there a way to run the script to check for a specific user? Then I see if it finds the handful of users.
    • Might need more info on your environment.
      Are all your email domains on Office 365?
      Are all the email addresses stored in AD?
    • Sorry for late reply. Email domains on O365, email addresses stored in the "E-Mail Address" field on local AD. I run the script from the DC as well.
    • Are you able to use powershell send-mailmessage to email that domain seperately to the script?
    • Yes, Tried a test message to from, and it came through. I get the daily reports as well, and my email is
  • clarification about the testing parameter
    2 Posts | Last post May 20, 2019
    • hi Robert
      I will be trying your script for first time
      If I run the script with 'testing' enabled and specify a 'testrecipient' then the script will send mail only to the test recipient with the list of users that will be sent reminder mail ?
    • It should send the individual emails that would otherwise go to each user, to the test recipient.
31 - 40 of 542 Items