Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
80,463 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Task scheduler Access Denied
    6 Posts | Last post February 28, 2019
    • Hi I've been able to get the script running explicitly running from powershell itself and have followed the youtube guide for this.
      
      However when I try to execute my script with my custom AD user (everything is hosted on the domain controller) it gives me access denied.
      
      Task Scheduler failed to start instance "{instance id}" of "\Password expiry email"  task for user "domain\passwordreminderuser" . Additional Data: Error Value: 2147942405.
      
      AND
      
      Task Scheduler failed to launch action "C:\Windows\System32\WindowsPowerShell\v1.0\" in instance "{instance id}" of task "\Password expiry email". Additional Data: Error Value: 2147942405.
      
      For my user it didn't matter if I have it set to logon as batch, logon as local service and/or allow logon locally. In addition I added it to domain\administrators Group thinking that might be preventing it from executing Powershell however it does not work.
      
      1) Under general: Run whether user is logged on or not and with Highest priveledges
      2) General is set to run with my created passwordreminderuser already with correct password entered.
      3) I set the task settings to stop the existing instance of the task if its already running
      
      See imgur album of additional details including script i'm trying to execute
      
      https://imgur.com/a/xJtmcp0
      
      I've tried numerous things such as using my domain admin to execute the script and it keeps failing with the same error, running it as logged on user. Only thing I haven't done yet is reboot the server. 
      
      And logs of course do not save when using task schedule.
      
    • Why is there an & at the begining of your command?
      
      Program/Script should just be 'powershell.exe'
      
      Please review, https://www.youtube.com/watch?v=xbzxWOarVuk
    • Hi thanks for the update and for continually working with users who implement your script.
      
      I've reverted my modifications and now have it matching your syntax. However when I go to execute it, the task completes successfully with the last run result being 0x1
    • Does the script execute?
    • Hi yes it works its way through the task scheduler process however when it executes it gives:
      
      Task Scheduler successfully completed task "\Password expirey email" , instance "{54455454-e18d-4a7c-82da-49060c7d08cf}" , action "powershell.exe" with return code 1.
    • I think I resolved it, looks like it might've been failing to execute due to execution policy settings.
      
      As per: https://stackoverflow.com/questions/13015245/powershell-script-wont-execute-as-a-windows-scheduled-task
      
      -noninteractive -nologo  -Command "&'D:\IT\Scripts\PasswordChangeNotification.ps1' -smtpServer .mail.protection.outlook.com -expireInDays 21 -from 'IT Support <support@domain.com>' -reportTo email@domain.com -interval 1,2,5,10,15 -testing -testrecipient account@clientdomain.com -logging -logPath 'D:\IT\Scripts\Log Files'"
  • Mail not working via Task Scheduler
    2 Posts | Last post February 22, 2019
    • The script works fine. When running from a command via Powershell. But the same via the Task Scheduler won't fire the e-mail. And it does domething since the log file is updated. It's just the mail that is not being send as soon as I start it up via the Scheduler.
      
      Should I use -Command or -File ?
      
      -File "C:\admin\PasswordChangeNotification.ps1" -expireInDays 21 -Logging -testing -testRecipient xxx@xxx.com -interval 1,3,7,8
      
      The other parameters are in the PS1. But the default also works the same way. Works via PowerShell, also Scheduler, except the mail.
    • I use -Command.
      
      
  • Prompted for Inputs each time I run
    2 Posts | Last post February 22, 2019
    • I get prompted to enter the parameters each time I run. Is there something I am missing?  
      
        # $smtpServer Enter Your SMTP Server Hostname or IP Address
          [Parameter(Mandatory=$True,Position=0)]
          [ValidateNotNull()]
          [string]$smtpServer= "NSG-EX16.nsgdm.local",
          # Notify Users if Expiry Less than X Days
          [Parameter(Mandatory=$True,Position=1)]
          [ValidateNotNull()]
          [int]$expireInDays = "14",
          # From Address, eg "IT Support <support@domain.com>"
          [Parameter(Mandatory=$True,Position=2)]
          [ValidateNotNull()]
          [string]$from = "NSG-INC Administrator <Administrator@NSG-INC.com",
          [Parameter(Position=3)]
          [switch]$logging,
          # Log File Path
          [Parameter(Position=4)]
          [string]$logPath,
          # Testing Enabled
          [Parameter(Position=5)]
          [switch]$testing ="Enabled",
          # Test Recipient, eg recipient@domain.com
          [Parameter(Position=6)]
          [string]$testRecipient = "lanrmadm@NSG-INC.com",
          # Output more detailed status to console
          [Parameter(Position=7)]
          [switch]$status,
          # Log file recipient
          [Parameter(Position=8)]
          [string]$reportto,
          # Notification Interval
          [Parameter(Position=9)]
          [array]$interval
    • In a word, yes.
      https://www.youtube.com/watch?v=xbzxWOarVuk
  • Trying to do SMTP Authentication - Log shows error
    5 Posts | Last post February 13, 2019
    • So I have watched the video on SMTP Authentication, and I have followed exactly. Generated the SecureString text file and reconfigured the script accordingly. However when I run the command no emails happen. I get this error: 
      
      "Cannot process argument transformation on parameter 'Credential'. Access is denied"
      
      I am not sure what I am doing wrong to get this access denied and where the access is being denied at. Any help is appreciated. 
      
      Thanks!
      Jason 
    • Are you able to create the credential object separately from the script?
      
      $savedString = "<path to saved password>"
      $pass = Get-Content $savedString | ConvertTo-SecureString
      $username = "my user name"
      $cred = New-Object System.Management.Automation.PSCredential($username,$pass)
      
      If you use that, what happens?
    • @RobertPearman -
      
      I copied that into the script and commented out the original Secure Password section and re-ran as a task and was still presented the same error. I did take the domain name out for some security.
      
      "in 50 days.","Admin","Admin","Admin@MYDOMAIN.com","1/3/2019 9:25:21 AM","50","4/3/2019 9:25:21 AM","Cannot process argument transformation on parameter 'Credential'. Access is denied"
      
      Some other information that might be helpful is that I am running version 2.9 (August 2018) of the script, and that I have done little to no customization to the script other than the Email Body in it. 
      
      One thing that I did notice when I just googled the error before asking in thread here (yes I know Googling isn't always helpful) is that with PowerShell 5.0 and above that the Credential flag works differently or not at all. Maybe that could be a cause? 
      
      Here is my PowerShell version running on Windows Server 2012 R2 is: 
      
      PS C:\Windows\system32> $PSVersionTable.PSVersion
      
      Major  Minor  Build  Revision
      -----  -----  -----  --------
      5      1      14409  1005
      
      
      If you like Robert, I can share my email with you and we can take this off thread if you prefer and I can share anything needed to help troubleshoot...
    • https://windowsserveressentials.com/support
    • Thanks - sent you an email via that direction with mine - look forward to working with you!
  • Email is Sending to Test Receipt only, not for the end users
    1 Posts | Last post February 11, 2019
    • For this script , i tried with testing. After testing is done. I want to send it to the end users. So i disabled the Testing. after i ran the script, the email is not sending to the end users, its sending to the test receipt. Please help me. Thank you. 
  • How to resolve
    2 Posts | Last post February 11, 2019
    • Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?
    • foreach ($user in $notifyusers)
      {
      if(($user.DaysToExpire) -gt 0 )
      {
      # put the rest of the notification in here
      }
      }
      
      }
  • Emails Being Delivered Regardless of Date Range
    6 Posts | Last post February 08, 2019
    • Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?
    • Negative values usually suggest an issue with the password policy, ie that the user has not changed their password since the policy was applied.
      
      But if you want to avoid negative values in the email notifications, you can add a section to the notification  around like 213, and enclose everything else inside that.
      
      foreach ($user in $notifyusers)
      {
      if(($user.DaysToExpire) -gt 0 )
      {
      # put the rest of the notification in here
      }
      }
      
      }
    • So the problem is avoiding sending to negative values period.  Right now I have people who set their passwords recently and are still getting notified.  Also looks like line 213 would be in the middle of the message body.  Here is a link to a cap of the log that reflects that behavior: https://1drv.ms/u/s!AoW4K425h7VNh_htcxDi-22cMa7dbQ
    • Sorry im looking at my development one, not the current version you have.
       
      211 # Process notifyusers
      212 foreach ($user in $notifyUsers)
      213 {
      
      Do you have multiple DCs in your environment? Im wondering if it is running get-aduser against a different DC and getting a different result on the pwdlastset value.
      
      I think to try and troubleshoot that you would need to pick a user who has this issue, then work out what the script is doing at each stage.
      
      $defaultMaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days 
      $user = Get-AdUser troubleUser -properties *
      $pwdLastSet = $user.PasswordLastSet
      $maxPasswordAge = $defaultMaxPasswordAge
      $PasswordPol = (Get-AduserResultantPasswordPolicy $user) 
      if (($PasswordPol) -ne $null)
      {
      $maxPasswordAge = ($PasswordPol).MaxPasswordAge.Days
      }
      $expireson = $pwdLastSet.AddDays($maxPasswordAge)
      $daysToExpire = New-TimeSpan -Start $today -End $Expireson
      $expiresOn
      $daysToExpire
      
      That should give you the same value the script has when it runs.    
    • Thanks for the reply, multiple DC's in play.  Will take that new info back to the drawing board.
    • I would expect that attribute to be fully replicated to all DCs (essentially, or pulled out of a GC etc) and i just compared a couple of multi dc environments and they all appear to show the same dates, still, am interested to hear what you find.
  • I get this error."Unable to connect to the remote server"
    2 Posts | Last post February 04, 2019
    • Does this error message indicate the server is not an Admin Server?
      The script works perfectly, but my output log indicates "Unable to connect to the remote server". Nor am I receiving the test email. 
      
      Could you please help?
      
      Thank you!
    • Looks like an invalid SMTP server address.
  • can't change date format
    3 Posts | Last post January 28, 2019
    • Hi ! This script is awesome, I use it in a production enviromnent, but since we are located in Europe we use the dd/MM/YYYY hh:ss date format, and when the script is launched, users get "01/28/2019 19:47:27" - in EN-US it's related to MM/dd/yyy. 
      As I run the script in windows 2012 environment my locale is set to EN-US, don't know how to change it:
      When I type:
      ([DateTime]::Now).ToString()
      
      I get
      
      25-01-19 12:00:28
      
      Also in the script itself, I see:
      
      $start = [datetime]::Now 
      
      But don't know how to change the format from MM/dd/yyyy hh:ss to dd/MM/yyy hh:ss
      
      Could you help me please ?
      
      Regards,
      
      
    • Date formatting can be a pain.
      
      You can always set it like this,
      
      $newFormat = get-date -format dd/MM/yyyy
      
      It is worth noting though that if you want to display it to the user in a more familiar way (dd MM yyyy) you really only need to format it at the point of display.
      
      So if you are putting into the email body.. prior to $body set the date variable to the format you want it.
      
      $displayDate = get-date $expiresOn -format "dd/MM/yyyy ss:mm:hh"
      
      $body = "
      Hello your password expires on $displayDate"
      
      Hope that helps.
    • Great ! Thanks for help ! It's working :)
      
      In case someone needs that, I paste here the changed code
      ---------------------------------------------------------------
      
      # Email Address
          $samAccountName = $user.UserName
          $emailAddress = $user.EmailAddress
          # Set Greeting Message
          #$ExpiryTime=$user.ExpiresOn
          $displayDate = get-date $user.expiresOn -format "dd/MM/yyyy hh:mm"
          $name = $user.Name
          $messageDays = $user.UserMessage
          # Subject Setting
          $subject="Your password will expire $messageDays"
          # Email Body Set Here, Note You can use HTML, including Images.
          # examples here https://youtu.be/iwvQ5tPqgW0 
          $body ="
          <font face=""verdana"">
          Dear $name,
          <p> Your password will expire $messageDays at $displayDate <br>
      ----------------------------------------------------------------------------
      
      Regards, 
  • Office Location to Report
    11 Posts | Last post January 25, 2019
    • Hello,
      Is there a way to add an office location Column to the Password Expiry report? Thanks!
    • Is that info stored in your AD?
    • Yes, it is under Office field of the General tab.
    • OK, so that would be available as $user.Office
      
      After line 199 add this..
      $userObj | Add-Member -Type NoteProperty -Name Office -Value $user.Office
    • I added it, ran it and did not do anything on the report.
    • what do you get on the report then?
    • Entries for all those columns and adding the line doesn't change any of this:
      Username Name EmailAddress PasswordSet DaysToExpire ExpiresON SendMail
    • Did you add it before or after this?
      
      # Add userObj to colusers array
          $colUsers += $userObj
    • After, line 199 is: $samAccountName = $user.UserName
    • Was that the line you were referring to when you said after line 199?
    • Just on a new line, after 199 should be ok.
51 - 60 of 534 Items