Password Expiry Email Notification

Hi I've been able to get the script running explicitly running from powershell itself and have followed the youtube guide for this.

However when I try to execute my script with my custom AD user (everything is hosted on the domain controller) it gives me access denied.

Task Scheduler failed to start instance "{instance id}" of "\Password expiry email"  task for user "domain\passwordreminderuser" . Additional Data: Error Value: 2147942405.

AND

Task Scheduler failed to launch action "C:\Windows\System32\WindowsPowerShell\v1.0\" in instance "{instance id}" of task "\Password expiry email". Additional Data: Error Value: 2147942405.

For my user it didn't matter if I have it set to logon as batch, logon as local service and/or allow logon locally. In addition I added it to domain\administrators Group thinking that might be preventing it from executing Powershell however it does not work.

1) Under general: Run whether user is logged on or not and with Highest priveledges
2) General is set to run with my created passwordreminderuser already with correct password entered.
3) I set the task settings to stop the existing instance of the task if its already running

See imgur album of additional details including script i'm trying to execute

https://imgur.com/a/xJtmcp0

I've tried numerous things such as using my domain admin to execute the script and it keeps failing with the same error, running it as logged on user. Only thing I haven't done yet is reboot the server. 

And logs of course do not save when using task schedule.

Why is there an & at the begining of your command?

Program/Script should just be 'powershell.exe'

Please review, https://www.youtube.com/watch?v=xbzxWOarVuk

Hi thanks for the update and for continually working with users who implement your script.

I've reverted my modifications and now have it matching your syntax. However when I go to execute it, the task completes successfully with the last run result being 0x1

Does the script execute?

Hi yes it works its way through the task scheduler process however when it executes it gives:

Task Scheduler successfully completed task "\Password expirey email" , instance "{54455454-e18d-4a7c-82da-49060c7d08cf}" , action "powershell.exe" with return code 1.

I think I resolved it, looks like it might've been failing to execute due to execution policy settings.

As per: https://stackoverflow.com/questions/13015245/powershell-script-wont-execute-as-a-windows-scheduled-task

-noninteractive -nologo  -Command "&'D:\IT\Scripts\PasswordChangeNotification.ps1' -smtpServer .mail.protection.outlook.com -expireInDays 21 -from 'IT Support <support@domain.com>' -reportTo email@domain.com -interval 1,2,5,10,15 -testing -testrecipient account@clientdomain.com -logging -logPath 'D:\IT\Scripts\Log Files'"

The script works fine. When running from a command via Powershell. But the same via the Task Scheduler won't fire the e-mail. And it does domething since the log file is updated. It's just the mail that is not being send as soon as I start it up via the Scheduler.

Should I use -Command or -File ?

-File "C:\admin\PasswordChangeNotification.ps1" -expireInDays 21 -Logging -testing -testRecipient xxx@xxx.com -interval 1,3,7,8

The other parameters are in the PS1. But the default also works the same way. Works via PowerShell, also Scheduler, except the mail.

I use -Command.

I get prompted to enter the parameters each time I run. Is there something I am missing?  

  # $smtpServer Enter Your SMTP Server Hostname or IP Address
    [Parameter(Mandatory=$True,Position=0)]
    [ValidateNotNull()]
    [string]$smtpServer= "NSG-EX16.nsgdm.local",
    # Notify Users if Expiry Less than X Days
    [Parameter(Mandatory=$True,Position=1)]
    [ValidateNotNull()]
    [int]$expireInDays = "14",
    # From Address, eg "IT Support <support@domain.com>"
    [Parameter(Mandatory=$True,Position=2)]
    [ValidateNotNull()]
    [string]$from = "NSG-INC Administrator <Administrator@NSG-INC.com",
    [Parameter(Position=3)]
    [switch]$logging,
    # Log File Path
    [Parameter(Position=4)]
    [string]$logPath,
    # Testing Enabled
    [Parameter(Position=5)]
    [switch]$testing ="Enabled",
    # Test Recipient, eg recipient@domain.com
    [Parameter(Position=6)]
    [string]$testRecipient = "lanrmadm@NSG-INC.com",
    # Output more detailed status to console
    [Parameter(Position=7)]
    [switch]$status,
    # Log file recipient
    [Parameter(Position=8)]
    [string]$reportto,
    # Notification Interval
    [Parameter(Position=9)]
    [array]$interval

In a word, yes.
https://www.youtube.com/watch?v=xbzxWOarVuk

So I have watched the video on SMTP Authentication, and I have followed exactly. Generated the SecureString text file and reconfigured the script accordingly. However when I run the command no emails happen. I get this error: 

"Cannot process argument transformation on parameter 'Credential'. Access is denied"

I am not sure what I am doing wrong to get this access denied and where the access is being denied at. Any help is appreciated. 

Thanks!
Jason 

Are you able to create the credential object separately from the script?

$savedString = "<path to saved password>"
$pass = Get-Content $savedString | ConvertTo-SecureString
$username = "my user name"
$cred = New-Object System.Management.Automation.PSCredential($username,$pass)

If you use that, what happens?

@RobertPearman -

I copied that into the script and commented out the original Secure Password section and re-ran as a task and was still presented the same error. I did take the domain name out for some security.

"in 50 days.","Admin","Admin","Admin@MYDOMAIN.com","1/3/2019 9:25:21 AM","50","4/3/2019 9:25:21 AM","Cannot process argument transformation on parameter 'Credential'. Access is denied"

Some other information that might be helpful is that I am running version 2.9 (August 2018) of the script, and that I have done little to no customization to the script other than the Email Body in it. 

One thing that I did notice when I just googled the error before asking in thread here (yes I know Googling isn't always helpful) is that with PowerShell 5.0 and above that the Credential flag works differently or not at all. Maybe that could be a cause? 

Here is my PowerShell version running on Windows Server 2012 R2 is: 

PS C:\Windows\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      14409  1005


If you like Robert, I can share my email with you and we can take this off thread if you prefer and I can share anything needed to help troubleshoot...

https://windowsserveressentials.com/support

Thanks - sent you an email via that direction with mine - look forward to working with you!

For this script , i tried with testing. After testing is done. I want to send it to the end users. So i disabled the Testing. after i ran the script, the email is not sending to the end users, its sending to the test receipt. Please help me. Thank you. 

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

Negative values usually suggest an issue with the password policy, ie that the user has not changed their password since the policy was applied.

But if you want to avoid negative values in the email notifications, you can add a section to the notification  around like 213, and enclose everything else inside that.

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

So the problem is avoiding sending to negative values period.  Right now I have people who set their passwords recently and are still getting notified.  Also looks like line 213 would be in the middle of the message body.  Here is a link to a cap of the log that reflects that behavior: https://1drv.ms/u/s!AoW4K425h7VNh_htcxDi-22cMa7dbQ

Sorry im looking at my development one, not the current version you have.
 
211 # Process notifyusers
212 foreach ($user in $notifyUsers)
213 {

Do you have multiple DCs in your environment? Im wondering if it is running get-aduser against a different DC and getting a different result on the pwdlastset value.

I think to try and troubleshoot that you would need to pick a user who has this issue, then work out what the script is doing at each stage.

$defaultMaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days 
$user = Get-AdUser troubleUser -properties *
$pwdLastSet = $user.PasswordLastSet
$maxPasswordAge = $defaultMaxPasswordAge
$PasswordPol = (Get-AduserResultantPasswordPolicy $user) 
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge.Days
}
$expireson = $pwdLastSet.AddDays($maxPasswordAge)
$daysToExpire = New-TimeSpan -Start $today -End $Expireson
$expiresOn
$daysToExpire

That should give you the same value the script has when it runs.    

Thanks for the reply, multiple DC's in play.  Will take that new info back to the drawing board.

I would expect that attribute to be fully replicated to all DCs (essentially, or pulled out of a GC etc) and i just compared a couple of multi dc environments and they all appear to show the same dates, still, am interested to hear what you find.

Does this error message indicate the server is not an Admin Server?
The script works perfectly, but my output log indicates "Unable to connect to the remote server". Nor am I receiving the test email. 

Could you please help?

Thank you!

Looks like an invalid SMTP server address.

Hi ! This script is awesome, I use it in a production enviromnent, but since we are located in Europe we use the dd/MM/YYYY hh:ss date format, and when the script is launched, users get "01/28/2019 19:47:27" - in EN-US it's related to MM/dd/yyy. 
As I run the script in windows 2012 environment my locale is set to EN-US, don't know how to change it:
When I type:
([DateTime]::Now).ToString()

I get

25-01-19 12:00:28

Also in the script itself, I see:

$start = [datetime]::Now 

But don't know how to change the format from MM/dd/yyyy hh:ss to dd/MM/yyy hh:ss

Could you help me please ?

Regards,

Date formatting can be a pain.

You can always set it like this,

$newFormat = get-date -format dd/MM/yyyy

It is worth noting though that if you want to display it to the user in a more familiar way (dd MM yyyy) you really only need to format it at the point of display.

So if you are putting into the email body.. prior to $body set the date variable to the format you want it.

$displayDate = get-date $expiresOn -format "dd/MM/yyyy ss:mm:hh"

$body = "
Hello your password expires on $displayDate"

Hope that helps.

Great ! Thanks for help ! It's working :)

In case someone needs that, I paste here the changed code
---------------------------------------------------------------

# Email Address
    $samAccountName = $user.UserName
    $emailAddress = $user.EmailAddress
    # Set Greeting Message
    #$ExpiryTime=$user.ExpiresOn
    $displayDate = get-date $user.expiresOn -format "dd/MM/yyyy hh:mm"
    $name = $user.Name
    $messageDays = $user.UserMessage
    # Subject Setting
    $subject="Your password will expire $messageDays"
    # Email Body Set Here, Note You can use HTML, including Images.
    # examples here https://youtu.be/iwvQ5tPqgW0 
    $body ="
    <font face=""verdana"">
    Dear $name,
    <p> Your password will expire $messageDays at $displayDate <br>
----------------------------------------------------------------------------

Regards, 

Hello,
Is there a way to add an office location Column to the Password Expiry report? Thanks!

Is that info stored in your AD?

Yes, it is under Office field of the General tab.

OK, so that would be available as $user.Office

After line 199 add this..
$userObj | Add-Member -Type NoteProperty -Name Office -Value $user.Office

I added it, ran it and did not do anything on the report.

what do you get on the report then?

Entries for all those columns and adding the line doesn't change any of this:
Username Name EmailAddress PasswordSet DaysToExpire ExpiresON SendMail

Did you add it before or after this?

# Add userObj to colusers array
    $colUsers += $userObj

After, line 199 is: $samAccountName = $user.UserName

Was that the line you were referring to when you said after line 199?

Just on a new line, after 199 should be ok.