Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

4.6 Star
81,281 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Getting an error
    5 Posts | Last post November 12, 2013
    • Some emails are being sent without a number of days in them.   It is just blank.  I get:
      Cannot convert argument "1", with value: "", for "op_Addition" to type "System.
      TimeSpan": "Cannot convert null to type "System.TimeSpan"."
      At C:\scripts\Password Change Notification.ps1:21 char:34
      +   $expireson = $passwordsetdate + <<<<  $maxPasswordAge
          + CategoryInfo          : NotSpecified: (:) [], MethodException
          + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
      New-TimeSpan : Cannot bind parameter 'End' to the target. Exception setting "En
      d": "Object reference not set to an instance of an object."
      At C:\scripts\Password Change Notification.ps1:23 char:51
      +   $daystoexpire = (New-TimeSpan -Start $today -End <<<<  $Expireson).Days
          + CategoryInfo          : WriteError: (:) [New-TimeSpan], ParameterBinding
          + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Comm
      Any ideas?
    • Is it working for some and not others?
      Would be interested to know what is different about the accounts. You can contact me via my blog if you want to work together to solve the problem.
    • I am having this same issue. In fact it looks like all of my users received the email notice due to it not being able to either pull the data from the variables in or not able to calculate the $expireson = $passwordsetdate + $maxPasswordAge. 
    • Ok i have put the original version back for now - which should work fine but only against a default password policy.
      Need to investigate the issues with Fine Grained Policy - sorry for the inconvenience.
    • OK i think i may have fixed it.
      My error was thinking that "Get-AduserResultantPasswordPolicy $user" would return a value for all users, even those not affected by fine grained passwords.
      So, i have added some lines to check for that, and if a FGP is not present to apply the default domain password policy.
      That seems to work in my testing now - so id be happy to get your comments on that.
  • Windows Powershell in Windows 2012 and email not arriving
    2 Posts | Last post November 04, 2013
    • Have a test user in my domain and set their expiration date a week out.
      Changed settings as indicated leaving all else:
      $from = ""
      $expireindays = 21
      I manually pasted the script into Windows Powershell and it ends at 
      >> }
      I do not get an email, but given the expiration is next week this should work?
    • As per the other question i would rule out issues with using PowerShell to email manually.
  • Error with SBS 2008
    2 Posts | Last post November 04, 2013
    • I'm trying to use this on a SBS2008 server and when I run it in task scheduler, it stays in a run state and does nothing. When running in power shell I get the following error:
      Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
      I'm I missing a something like a feature/role? Under features, I have "Active Directory Domain Controller Tools" installed.
    • SBS 2008 does not have the AD PowerShell module, so you need to have a server 2008 R2 or better.
  • Simple Question
    2 Posts | Last post October 24, 2013
    • The script works well as is but I need to run it on a specific OU only. When I add the -SearchBase parameter, I get the following error:
      Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
      All I have added is the following:
      $users = get-aduser -filter * -SearchBase "OU=test,DC=UPS,DC=local" -properties * |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false } 
      any help would be greatly appreciated
    • when i run into issues like that i try to isolate the syntax and run it bit by bit.
      so i would start a new powershell window and run:
      get-aduser -filter *
      get-aduser -filter * -properties *
      get-aduser -filter * -properties * -SearchBase "OU=test,DC=UPS,DC=local"
      Try and narrow down where the issue lies.
      You may also find the DN of your OU is not correct.
  • Test Script on 1 user?
    2 Posts | Last post October 24, 2013
    • Hi. How can I alter this script to test on a single user? Or a single OU if that's easier? Thanks!
    • You could amend the $users variable to find a specefic user or OU. You can use -searchbase as an option.
      -SearchBase should be in the format of the distinguished name of the Ou you are querying.
      -SearchBase "DC=NA,DC=fabrikam,DC=com"
  • Mails not generating and logs needed
    6 Posts | Last post October 17, 2013
    • Hi
      I have set the Expireindays as 3. 
      Assuming that i have scheduled this script to run daily, those users whose password is going to expire in 3 days, on that current date, will get notification. Am i right?
      If yes, then i tested for few users, but mail has not come in for those whose password will expire in 3 days time.
      Also is anywhere i can see to whom and all the notifications sent for that date?
    • It would be anyone whose password expires in 3 days or less (so 3 days, 2 days, 1 day etc)
      I would suggest that the configuration of your mail server holds the key to working out why the emails are not sent.
      I have not put any logging into it particularly, but you could aways add " -cc " to be CCd to any emails that do go out.
    • Sundar, JiJi Password Expiration Notification Tool have all the features you want. You can try that, its cheap.
    • Can you just email one user?
    • Yes you can amend it to just email one user, if that person should be responsible for letting people know their password expires.
      Just change the $emailaddress variable to the address of the person who should receive the messages.
    • Sundaresan C, regarding logging I added this If statment at the end.
      You will need to create another variable as well as a few other lines seen below before the If starts
      $AllUsersExpiring = @()
      $AllUsersExpiring += "$DaystoExpire Days :`t $Name<br>"
      $AllUsersExpiring = $AllUsersExpiring | Sort-Object
      If($AllUsersExpiring.count -gt 0){
      	Send-Mailmessage -smtpServer $smtpServer -from $from -to "","" -subject "Expiring Users" -body "$AllUsersExpiring" -bodyasHTML -priority High
531 - 536 of 536 Items