Password Expiry Email Notification

Hi Robert,
Thanks for the script it helps a lot for me!
But I wonder I did set $testing = "Disabled" and $testRecipient = "<MY emailaddress>"
I run script and it isnt going to send to $emailaddress<the user's email address> 
even though user account has email address..
I'm the only one can receive report and notification email.

Did I make wrong?

I only  add or change value as belows:

# Set Output Formatting - Padding characters
$padVal = "90"


$smtpServer = "domain.XX.xxx"
$expireInDays = "90"
$from = "<EMAIL>"

$logging = "Enabled"
$logPath = "D:\PasswordExpirationNoti"

$testing = "Disabled"
$testRecipient = "<MYEMAIL>"

$reportto = "<MYEMAIL>"
$interval = 1,2,5,10

Hi Robert,
First of all thanks for the script is exactly what I was looking for,
I'm having an issue that maybe you can help me,
Whenever I run the script after I adjust to my company details I get this msg:

C:\Scripts\PasswordChangeNotification.ps1 : Cannot process argument transformation on parameter 'logging'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and 
numbers, such as $True, $False, 1 or 0.
    + CategoryInfo          : InvalidData: (:) [PasswordChangeNotification.ps1], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,PasswordChangeNotification.ps1

Any idea what the issue can be?

Hi Robert thanks for a great script ,appreciate the work involved in setting it up.
I have an issue running the script in task scheduler. It works fine through powershell. When I run it in task scheduler it appears to run successfully, result (0x0), but it does not create a new log file or appear to send any email.
Here are the parameters

-ExecutionPolicy Bypass -File c:\gosys\passwordchangenotificationnew.ps1 -smtpServer aaa-com-au.mail.protection.outlook.com -from "IT Support <adminnoreply@gosys.com.au>" -expireInDays 15 -logging -logPath 'C:\GoSys' -interval 14,7,3,2,1

Use -command instead of -file.

get-aduser : Unable to find a default server with Active Directory Web Services running.
At E:\python-script\PasswordChangeNotification.ps1:132 char:10
+ $users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverE ...
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Found 0 User Objects
Get-ADDefaultDomainPasswordPolicy : Unable to find a default server with Active Directory Web Services running.
At E:\python-script\PasswordChangeNotification.ps1:137 char:27
+ ... swordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxP ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (BIZWESTAD:ADDefaultDomainPasswordPolicy) [Get-ADDefaultDomainPassw
   ordPolicy], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADDefaultDom
   ainPasswordPolicy

Sounds like you have an older domain, maybe 2008?
You need AD Web Services in able to use PowerShell AD Cmdlets.
https://blogs.msdn.microsoft.com/adpowershell/2009/04/06/active-directory-web-services-overview/

Hi Robert 

Thanks for the reply , We are using active directory on windows 2016 .
also  ADW service was not running , i started it .
but still its not working .
when i try to execute the command from powershell it returns below error 
PS C:\Users\administrator.BIZWESTAD> Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'Inacti
veClientData_SQL:636'
Get-ADUser : Server instance not found on the given port.
At line:1 char:1
+ Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
   ands.GetADUser

You need to refine your Get-ADuser query so that it returns results.

Hi Robert 

can you give me some more clarity ?

The script relies on results from Get-AdUser.

If your get-aduser command produces an error, or no results then the script has no data to work with.

Get-ADUser -filter *  -SearchBase 'OU=Users,DC=BIZWESTAD,DC=INFO'   -Server 'InactiveClientData_SQL:636'

So your command is generating an error from the -server parameter.
Is this actually your server address? 'InactiveClientData_SQL:636' 

What if you omit that parameter, does it return results?

Anyway to filter this to only look at accounts in a specific group rather than the whole domain?

Yes, easy.
This was made for the earlier version, but the method still works.
https://www.youtube.com/watch?v=4CX9qMcECVQ

Great script  - 
it runs fine within powershell 
however its doenst run when i put it into task scheduler

this is the command im entering 

-Command "d:/scripts/PasswordChangeNotification.ps1 -smtpServer nhex03 -expireInDays 21 -from 'IT Support<noreply@etelimited.co.uk' -reportTo paul.webber@etelimited.co.uk -status -interval 1,2,5,7,15"

d:/scripts/PasswordChangeNotification.ps1

try

d:\scripts\PasswordChangeNotification.ps1

I get a . on the subject line of the email, not sure how to get rid of it . any help or pointers as to how to get the period off the subject line . 

just a "." or is that included in the subject?

what is $subject set to?
on the send-mailmessage line, what is -subject set to?

Great script. Log File is showing Sendmail = Ok, but there is no email send when using the -interval option.

Powershell.exe -Command C:\Path\PasswordChangeNotification.ps1 -smtpServer smtp.server.nl -expireInDays 28 -from "helpdesk@domain.com" -Logging -LogPath "C:\path\LogFiles" -testing -testRecipient test@domain.com -interval "0,1,7,14,28"

dont put the interval inside quotes.

Great script, been using it for several months now and the amount of requests from users who are locked out because they didn't change their password in time has decreased. However, I just noticed that some folks aren't getting the notification because their email domain is not the same as the primary domain. My AD domain is mycompany.int. User log-in accounts are first.last@mycompany.com, or a subsidiary company first.last@othercompany.com. I happen to have @othercompany.com for my email address. I received the pop-up to change my password as it was expiring in the taskbar, so I do get Windows alerts. I did not notice my address in the daily password report I run, and I also noticed no other users with @othercompany.com addresses have appeared. I think they did at one time, and so maybe it's an O365 change, as I didn't make a change in your script. Would there be some reason why your script only sends to @mycompany.com email addresses? The account I use to send the alerts to users and the daily report is password.reminder@mycompany.com. The only time an email wasn't sent out was when the email field of the user account was blank. Any way to make sure all users, even the @mycompany.int ones, which I know will fail, will get an email? The @mycompany.int accounts are admin accounts, and I can email those user's regular account to let them know to change the admin account password. Thanks again for the great script.

It will attempt to send the message to whatever $emailAddress is set as. The log should tell you what address the notification was sent to, or attempted to be sent to.

It is possible if the domain is external it wont allow you to relay emails, and you will need to use authentication.

Log doesn't show attempts to send to any of the @othercompany.com domains - they are still internal, just another domain on the DC. Users with the @othercompany.com domain are mixed in the same OU, so it's not having to check a specific one.

Is there a way to run the script to check for a specific user? Then I see if it finds the handful of @othercompany.com users.

Might need more info on your environment.

Are all your email domains on Office 365?
Are all the email addresses stored in AD?

Sorry for late reply. Email domains on O365, email addresses stored in the "E-Mail Address" field on local AD. I run the script from the DC as well.

Are you able to use powershell send-mailmessage to email that domain seperately to the script?

Yes, Tried a test message to @othercompany.com from password.reminder@mycompany.com, and it came through. I get the daily reports as well, and my email is myemail@othercompany.com.

hi Robert

I will be trying your script for first time
If I run the script with 'testing' enabled and specify a 'testrecipient' then the script will send mail only to the test recipient with the list of users that will be sent reminder mail ?

thanks

It should send the individual emails that would otherwise go to each user, to the test recipient.