Password Expiry Email Notification

I have tried several time but not able to use this script properly do you have some video to understand?

https://www.youtube.com/user/robtitlerequired

Yes, all the videos for version 2.

Hello 

I will like to know how to pass parameters to script to send the report file to more then one person. I am using this -reportto FirstEmail@domain.com;SecoundEmail@domain.com  but doesn't work.

Im fairly sure it is a comma separated list that Send-Mailmessage supports, not semi colon. However the parameter is expecting a string, so you may need to enclose your list inside quotes.

-to "recipient1@domain.com,recipient2@domain2.com"

Hi Gary ,
at the bototm pf the script
$reportBody = "Password Expiry Report Attached"
        try{
            Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo.Split(",") -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop 
        }
        catch{
            $errorMessage = $_.Exception.Message
            Write-Output $errorMessage
        }


change $reportTo  to  $reportTo.Split(",")   and add recipients by comma separated values on your task scheduler arguments  like this : 
"C:\scripts\PasswordChangeNotification.ps1 -smtpServer <your.smtp.server> -expireInDays 11 -from 'your@mail.com' -Logging -LogPath 'c:\logFiles'  -reportTo 'rec1@domain.com,rec2d@domain.com,rec3@domain.com' -interval 1,2,5,10"

had the same issue and it is now solved. Robert if possible ammend that for your next version.

Hi I've been able to get the script running explicitly running from powershell itself and have followed the youtube guide for this.

However when I try to execute my script with my custom AD user (everything is hosted on the domain controller) it gives me access denied.

Task Scheduler failed to start instance "{instance id}" of "\Password expiry email"  task for user "domain\passwordreminderuser" . Additional Data: Error Value: 2147942405.

AND

Task Scheduler failed to launch action "C:\Windows\System32\WindowsPowerShell\v1.0\" in instance "{instance id}" of task "\Password expiry email". Additional Data: Error Value: 2147942405.

For my user it didn't matter if I have it set to logon as batch, logon as local service and/or allow logon locally. In addition I added it to domain\administrators Group thinking that might be preventing it from executing Powershell however it does not work.

1) Under general: Run whether user is logged on or not and with Highest priveledges
2) General is set to run with my created passwordreminderuser already with correct password entered.
3) I set the task settings to stop the existing instance of the task if its already running

See imgur album of additional details including script i'm trying to execute

https://imgur.com/a/xJtmcp0

I've tried numerous things such as using my domain admin to execute the script and it keeps failing with the same error, running it as logged on user. Only thing I haven't done yet is reboot the server. 

And logs of course do not save when using task schedule.

Why is there an & at the begining of your command?

Program/Script should just be 'powershell.exe'

Please review, https://www.youtube.com/watch?v=xbzxWOarVuk

Hi thanks for the update and for continually working with users who implement your script.

I've reverted my modifications and now have it matching your syntax. However when I go to execute it, the task completes successfully with the last run result being 0x1

Does the script execute?

Hi yes it works its way through the task scheduler process however when it executes it gives:

Task Scheduler successfully completed task "\Password expirey email" , instance "{54455454-e18d-4a7c-82da-49060c7d08cf}" , action "powershell.exe" with return code 1.

I think I resolved it, looks like it might've been failing to execute due to execution policy settings.

As per: https://stackoverflow.com/questions/13015245/powershell-script-wont-execute-as-a-windows-scheduled-task

-noninteractive -nologo  -Command "&'D:\IT\Scripts\PasswordChangeNotification.ps1' -smtpServer .mail.protection.outlook.com -expireInDays 21 -from 'IT Support <support@domain.com>' -reportTo email@domain.com -interval 1,2,5,10,15 -testing -testrecipient account@clientdomain.com -logging -logPath 'D:\IT\Scripts\Log Files'"

The script works fine. When running from a command via Powershell. But the same via the Task Scheduler won't fire the e-mail. And it does domething since the log file is updated. It's just the mail that is not being send as soon as I start it up via the Scheduler.

Should I use -Command or -File ?

-File "C:\admin\PasswordChangeNotification.ps1" -expireInDays 21 -Logging -testing -testRecipient xxx@xxx.com -interval 1,3,7,8

The other parameters are in the PS1. But the default also works the same way. Works via PowerShell, also Scheduler, except the mail.

I use -Command.

I get prompted to enter the parameters each time I run. Is there something I am missing?  

  # $smtpServer Enter Your SMTP Server Hostname or IP Address
    [Parameter(Mandatory=$True,Position=0)]
    [ValidateNotNull()]
    [string]$smtpServer= "NSG-EX16.nsgdm.local",
    # Notify Users if Expiry Less than X Days
    [Parameter(Mandatory=$True,Position=1)]
    [ValidateNotNull()]
    [int]$expireInDays = "14",
    # From Address, eg "IT Support <support@domain.com>"
    [Parameter(Mandatory=$True,Position=2)]
    [ValidateNotNull()]
    [string]$from = "NSG-INC Administrator <Administrator@NSG-INC.com",
    [Parameter(Position=3)]
    [switch]$logging,
    # Log File Path
    [Parameter(Position=4)]
    [string]$logPath,
    # Testing Enabled
    [Parameter(Position=5)]
    [switch]$testing ="Enabled",
    # Test Recipient, eg recipient@domain.com
    [Parameter(Position=6)]
    [string]$testRecipient = "lanrmadm@NSG-INC.com",
    # Output more detailed status to console
    [Parameter(Position=7)]
    [switch]$status,
    # Log file recipient
    [Parameter(Position=8)]
    [string]$reportto,
    # Notification Interval
    [Parameter(Position=9)]
    [array]$interval

In a word, yes.
https://www.youtube.com/watch?v=xbzxWOarVuk

So I have watched the video on SMTP Authentication, and I have followed exactly. Generated the SecureString text file and reconfigured the script accordingly. However when I run the command no emails happen. I get this error: 

"Cannot process argument transformation on parameter 'Credential'. Access is denied"

I am not sure what I am doing wrong to get this access denied and where the access is being denied at. Any help is appreciated. 

Thanks!
Jason 

Are you able to create the credential object separately from the script?

$savedString = "<path to saved password>"
$pass = Get-Content $savedString | ConvertTo-SecureString
$username = "my user name"
$cred = New-Object System.Management.Automation.PSCredential($username,$pass)

If you use that, what happens?

@RobertPearman -

I copied that into the script and commented out the original Secure Password section and re-ran as a task and was still presented the same error. I did take the domain name out for some security.

"in 50 days.","Admin","Admin","Admin@MYDOMAIN.com","1/3/2019 9:25:21 AM","50","4/3/2019 9:25:21 AM","Cannot process argument transformation on parameter 'Credential'. Access is denied"

Some other information that might be helpful is that I am running version 2.9 (August 2018) of the script, and that I have done little to no customization to the script other than the Email Body in it. 

One thing that I did notice when I just googled the error before asking in thread here (yes I know Googling isn't always helpful) is that with PowerShell 5.0 and above that the Credential flag works differently or not at all. Maybe that could be a cause? 

Here is my PowerShell version running on Windows Server 2012 R2 is: 

PS C:\Windows\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      14409  1005


If you like Robert, I can share my email with you and we can take this off thread if you prefer and I can share anything needed to help troubleshoot...

https://windowsserveressentials.com/support

Thanks - sent you an email via that direction with mine - look forward to working with you!

For this script , i tried with testing. After testing is done. I want to send it to the end users. So i disabled the Testing. after i ran the script, the email is not sending to the end users, its sending to the test receipt. Please help me. Thank you. 

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

Negative values usually suggest an issue with the password policy, ie that the user has not changed their password since the policy was applied.

But if you want to avoid negative values in the email notifications, you can add a section to the notification  around like 213, and enclose everything else inside that.

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

So the problem is avoiding sending to negative values period.  Right now I have people who set their passwords recently and are still getting notified.  Also looks like line 213 would be in the middle of the message body.  Here is a link to a cap of the log that reflects that behavior: https://1drv.ms/u/s!AoW4K425h7VNh_htcxDi-22cMa7dbQ

Sorry im looking at my development one, not the current version you have.
 
211 # Process notifyusers
212 foreach ($user in $notifyUsers)
213 {

Do you have multiple DCs in your environment? Im wondering if it is running get-aduser against a different DC and getting a different result on the pwdlastset value.

I think to try and troubleshoot that you would need to pick a user who has this issue, then work out what the script is doing at each stage.

$defaultMaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days 
$user = Get-AdUser troubleUser -properties *
$pwdLastSet = $user.PasswordLastSet
$maxPasswordAge = $defaultMaxPasswordAge
$PasswordPol = (Get-AduserResultantPasswordPolicy $user) 
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge.Days
}
$expireson = $pwdLastSet.AddDays($maxPasswordAge)
$daysToExpire = New-TimeSpan -Start $today -End $Expireson
$expiresOn
$daysToExpire

That should give you the same value the script has when it runs.    

Thanks for the reply, multiple DC's in play.  Will take that new info back to the drawing board.

I would expect that attribute to be fully replicated to all DCs (essentially, or pulled out of a GC etc) and i just compared a couple of multi dc environments and they all appear to show the same dates, still, am interested to hear what you find.

Does this error message indicate the server is not an Admin Server?
The script works perfectly, but my output log indicates "Unable to connect to the remote server". Nor am I receiving the test email. 

Could you please help?

Thank you!

Looks like an invalid SMTP server address.