Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
80,463 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Send-MailMessage Error
    2 Posts | Last post December 21, 2013
    • I get the below message 6 times when the script runs. I do though receive an E-Mail about the password expire. There are 100+ user in the domain. Only about 5 of them have there E-Mail address set in Users and Computers.
      I am trying figure out why i get it 6 times? The E-Mail address are correct in Users and Computers. Is this because maybe the majority of the users do not have an E-Mail set on there account?
      
      Thanks...
      
      Send-MailMessage : Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argument that i
      s not null or empty and then try the command again.
      At C:\download\pwscript\PasswordChangeNotification.ps1:43 char:61
      +     Send-Mailmessage -smtpServer $smtpServer -from $from -to <<<<  $emailaddress -subject $subject -body $body -bodya
      sHTML -priority High
          + CategoryInfo          : InvalidData: (:) [Send-MailMessage], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.SendMailMessage
      
    • If there is no email address set in the properties of their account then there is no email address for the script to find.
      
      Second, as to why you get 6 emails - who are they addressed to, are there any duplicates?
  • Negative numbers
    8 Posts | Last post December 03, 2013
    • I seem to be getting negative numbers for users that have recently changed their password.  For example: Your Password will expire in -19 days.  Any ideas?
      
      Thanks.
    • I haven't seen that behaviour myself, perhaps you can contact me offline?
    • I had somewhat the same issue before I noticed a typo on line 19 ($PassworldPol - notice the the unwanted 'l' there).
      
      My guess is that you've implemented fine grained password policies in your domain, with the proper password age set. In the meantime you have a default domain policy set the max password age to 0 ( = no limit, eventhough no user in your domain is affected by this part of the default domain policy hence the fine graind password policies).
      
      But the If statement on line 19 (corrected in the newest version) is faulty, so the variable maxPasswordAge is based on rules set in the Default Domain Policy.
      
      So the variable $expireson becomes the same value as $passwordsetdate and the variable $daystoexpire will (if my asumptions are correct) get a negative value.
      
      Perhaps an overkill reply, but kind of wanted to walk it through myself as well :)..
      
      Cheers
    • I have tested on several domains with and without FGP and i have not seen a negative value occur.
      
      Will do some more testing.
    • Try run the following ($maxPasswordAge is set to 0 to represent a Default Domain Password Policy with no restrictions what so ever. If you have a domain with this setting, replace with $maxPasswordAge=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge) to get a more precise test scenario).
      
      $passwordSetDate = (get-aduser SomeUser -properties * | foreach { $_.PasswordLastSet })
      $maxPasswordAge=0
      $expireson=$passwordSetDate + $maxPasswordAge
      $today = (Get-Date)
      $daystoexpire=(New-TimeSpan -Start $today -End $Expireson).Days
      echo $daystoexpire
      
      This gave me a negative value in some cases.
    • I don't know why you would be running this script when you had a password age of 0 - Unless some users were contained within an FGP - in which case it would be easy enough to tweak the script to filter those people out from getting emails. 
    • OK what you could do is this.
      
      Change Line 41 to:
      if (($daystoexpire -ge "0") -and ($daystoexpire -lt $expireindays))
      
      This should prevent anyone with a negative value from getting an email.
    • That looks to have fixed the problem.  Thank you for your help and the script.
  • Typo on line 19
    3 Posts | Last post December 02, 2013
    • Just a little correction: on line 19 in the if statement there's a typo. Instead of checking the variable PasswordPol it's looking for PassworldPol which results in it always sets the variable maxPasswordAge based on Defualt Domain Policy.
      
      Cheers,
      Pelle
    • Oops will fix that!
    • Sweet, I forgot to say thank you for an awesome script, btw!
  • Why does it send duplicate alerts to some AD users?
    4 Posts | Last post November 28, 2013
    • First all, nice script and very useful!  been working fine.
      However, recently it seems to send duplicate alerts to some (not all) AD users.  Any ideas?
    • Are they actually duplicates, or is it possible the email for user A is forwarding to user B so they see a second reminder?
    • Hi Robert
      Yes they are duplicate messages and there is no forwarding between user A to User B.  The script has been working fine until now.  I am trying to trace the issue but any thoughts/ideas would be appreciated. Thanks.
    • Hi Robert
      I have downloaded the script again and modified accordingly.  The only thing i have added to the script is bcc details so we get a copy along with each user.  Tested and it seems to be working fine.  I will keep you updated if that changes.  So dont know what happened as it was working fine.
      Must thank you for good and useful script though.
  • update...ran ./password change notification.ps1
    3 Posts | Last post November 24, 2013
    • It ran without error.  I only changed:
      $smtpServer="server.northamerica.bergquistcompany.com"
      $from = "myname@bergquistcompany.com"
      $expireindays = 14
      
      I am not getting email though and I'm running from 2012 any suggestions?
      I also tried from 2008 and got the same thing where it runs fine but no email
    • You should try to manually send an email via PowerShell because it may due to settings on the mail server that the email was not sent / relayed.
    • Thanks for tips
  • UTF8-encoding
    2 Posts | Last post November 22, 2013
    • Hi!
      
      Awesome script, just deployed it at my workplace, after doing a couple of changes.
      To enable support for scandinavian characters such as øæå, I did the following:
      
      Added this to the top, in the configurable variables:
      $encoding = [System.Text.Encoding]::UTF8
      
      And changed Send-Mailmessage to include the set encoding:
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High -Encoding $encoding
    • Thats awesome!
  • Receiving the below error. Script runs, and I receive an email with the user and amount of days until expiration, but concerned about the error.
    2 Posts | Last post November 22, 2013
    • Send-MailMessage : Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argument that i
      s not null or empty and then try the command again.
      At C:\it\scripts\PCN.ps1:43 char:61
      +     Send-Mailmessage -smtpServer $smtpServer -from $from -to <<<<  $emailaddress -subject $subject -body $body -bodya
      sHTML -priority High
          + CategoryInfo          : InvalidData: (:) [Send-MailMessage], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.SendMailMessage
    • How many errors do you get - is it possible that some users do not have email addresses?
  • Adding another email
    2 Posts | Last post November 22, 2013
    • Hi,
      
      Great script.  Got it working I was wondering how I could add an additional email to send to.  So it emails the user and also add a static email address to an admin so they know what user's have expiring password.
    • On the send mail line you can do this..
      
      Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -cc $cc -subject $subject -body $body -bodyasHTML -priority High
      
      Where $cc = the email address you want to use.
  • Getting an error
    5 Posts | Last post November 12, 2013
    • Some emails are being sent without a number of days in them.   It is just blank.  I get:
      
      Cannot convert argument "1", with value: "", for "op_Addition" to type "System.
      TimeSpan": "Cannot convert null to type "System.TimeSpan"."
      At C:\scripts\Password Change Notification.ps1:21 char:34
      +   $expireson = $passwordsetdate + <<<<  $maxPasswordAge
          + CategoryInfo          : NotSpecified: (:) [], MethodException
          + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
      
      New-TimeSpan : Cannot bind parameter 'End' to the target. Exception setting "En
      d": "Object reference not set to an instance of an object."
      At C:\scripts\Password Change Notification.ps1:23 char:51
      +   $daystoexpire = (New-TimeSpan -Start $today -End <<<<  $Expireson).Days
          + CategoryInfo          : WriteError: (:) [New-TimeSpan], ParameterBinding
         Exception
          + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Comm
         ands.NewTimeSpanCommand
      
      Any ideas?
    • Is it working for some and not others?
      
      Would be interested to know what is different about the accounts. You can contact me via my blog if you want to work together to solve the problem.
    • I am having this same issue. In fact it looks like all of my users received the email notice due to it not being able to either pull the data from the variables in or not able to calculate the $expireson = $passwordsetdate + $maxPasswordAge. 
      
      
    • Ok i have put the original version back for now - which should work fine but only against a default password policy.
      
      Need to investigate the issues with Fine Grained Policy - sorry for the inconvenience.
    • OK i think i may have fixed it.
      
      My error was thinking that "Get-AduserResultantPasswordPolicy $user" would return a value for all users, even those not affected by fine grained passwords.
      
      So, i have added some lines to check for that, and if a FGP is not present to apply the default domain password policy.
      
      That seems to work in my testing now - so id be happy to get your comments on that.
  • Windows Powershell in Windows 2012 and email not arriving
    2 Posts | Last post November 04, 2013
    • Have a test user in my domain and set their expiration date a week out.
      Changed settings as indicated leaving all else:
      $smtpServer="server@bergquistcompany.com"
      $from = "kristinebollinger@bergquistcompany.com"
      $expireindays = 21
      
      I manually pasted the script into Windows Powershell and it ends at 
      >> }
      >>
      
      I do not get an email, but given the expiration is next week this should work?
      
      
    • As per the other question i would rule out issues with using PowerShell to email manually.
521 - 530 of 534 Items