Password Expiry Email Notification

The script works great but I get an error that says "The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Client was not authenticated"

What can I do to fix this?  This is O365 AD Hybrid server

I got it working but I did not get an email but the log file says it went through

Check the Exchange Online mail logs.

Okay thanks,

How often do you need to schedule this script to run?

As often as you like.

Hi 

 I have an issue when the emails are not being sent out to users or to test recipient. The log file says ok under send Mail and when I check status in powershell sending Email see below log file output and powershell status. Note testing was enabled for this  

UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
in 15 days.	John.dow 	John.dow 	John.dow @GG.com	2018-08-06 02:51:22 PM	15	2019-02-02 02:51:22 PM	OK


Sending Email : John.dow : it@GG.com

Check the SMTP logs of your mail server.

Hi
How can we exclude users that have never expiring password without "Neverexpirepassword" enabled? There also get emails now. Should be excluded.

Depends how they have been set with never expiring passwords?

I have OUs with
GPO password expire is 0 never expires. 
And OUs fine grained password policy with 90days expire.

Now the GPO password pol users also receive the email.

Are those users in a group or OU that could be targeted? 

What I have is 
$users = get-aduser -SearchBase "OU=Companies,DC=domain,DC=local" .........

In here I have OUs that have GPO 0 days expire or Fine grained pwd pols.
GPO accounts have like -40 days but they dont expire. Cause of the GPO and checkbox PWD expired in AD is not enabled. These users should be skipped from mailling.

 hide all 

Generalhide
Detailshide
Domain spinware.nl 
Owner SPINWARE\Domain Admins 
Created 25-2-2014 16:13:44 
Modified 24-3-2017 12:08:40 
User Revisions 0 (AD), 0 (SYSVOL) 
Computer Revisions 27 (AD), 27 (SYSVOL) 
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9} 
GPO Status Enabled 

Linkshide
Location Enforced Link Status Path 
spinware No Enabled spinware.nl 

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name 
NT AUTHORITY\Authenticated Users 

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 

Computer Configuration (Enabled)hide
Policieshide
Windows Settingshide
OUs with this GPO never expire and dont get the checkbox Expired.

Computer Configuration --> Policies --> Security Settings --> Account Policies/Password Policy --> Policy Setting 
Maximum password age 0 days 
Minimum password age 0 days 

Pasted too much info can you remove last reply of mine :)
thanks

No, im afraid i cannot delete any comments from here, only Microsoft can.

There is a question from October 11, 2018, that explains how to filter out certain OUs.

Whether I run this interactive or as a scheduled task, it is skipping the emails.  In the logfile, under the "SendMail" header, it shows "Skipped - Interval" even for those users that fall into the interval list. I see some users that have 21 and 5 days being skipped.

PowerShell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -File "C:\temp\PasswordChangeNotification.ps1" -smtpServer <SERVERNAME> -expireInDays 21 -from "<EMAILADDERSS>" -Logging -LogPath "c:\logFiles" -interval 1,2,5,10,15

Without the -interval parameter it sends a message to all users with and expiry of 21 days or less.

When you use the interval, it will only notify people whose date is set in the interval.

 -interval 1,2,5,10,15

Would be users whose password expires in 1, 2, 5, 10 or 15 days exactly.

21 days would be excluded

if someone has a value of 5 days and that is also excluded, that sounds like an error.

Can you share the log file?

In fact I'm having exaclty the same problem. Just started testing this awesome script!
For example, -exireInDays 60 and -interval 1,3,40
I know these are strange numbers, but that is because I'm testing.
The user's password expires in 40 days, but no email is sent.

Log output:
"in 40 days.","testuser","testuser",,"7-1-2019 14:21:51","40","18-2-2019 14:21:51","Skipped - Interval"

Are you also using powershell -file, rather than powershell -command ?

Yes, using -file.
It seems it does not take "1,3,40" as an array. If I use -interval 40 (single value) then it works correctly.

Logfile Output

UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:47	15	1/29/2019 14:47	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 9:36	21	2/4/2019 9:36	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 12:52	21	2/4/2019 12:52	Skipped - Interval
in 5 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/21/2018 8:12	5	1/19/2019 8:12	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 15:03	15	1/29/2019 15:03	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 20:44	21	2/4/2019 20:44	Skipped - Interval
in 10 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/26/2018 16:59	10	1/24/2019 16:59	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 15:34	21	2/4/2019 15:34	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 8:29	21	2/4/2019 8:29	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:15	15	1/29/2019 14:15	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 12:09	15	1/29/2019 12:09	Skipped - Interval

So for now, I am just setting the -expireInDays 15 and letting it setting the mail every day by removing the -interval option.

The problem was with the "-file" parameter. Somehow it does parse an array like "7,3,1".
Now I'm using this commandline which works fine:

powershell -Command PasswordExpiredNotify.ps1 -smtpServer .... -expireInDays 7 -from notify@mail.com -interval 7,3,1

The daysToExpire is not an array, its a string, so we need to split it into an array. Also we compare strings to int.

Go to the section:
        # If using interval parameter - follow this section

Change this:
            # check interval array for expiry days
            if(($interval) -Contains($daysToExpire))

To this:
            # check interval array for expiry days
            if(($interval.split(",")) -Contains($daysToExpire.toString()))

This worked for me.

I of course meant that $interval is not an array, but a string. Doh.

I think that is the case if you use -file rather than -command when launching the script.

Thank you Robert doe the great script. It is working fine for us.

We have a request to add the date and time when the password will expire. 

What do I need to change/add to the script to accomplish this?

Thank you for your work!

You can modify $body to include anything you like.
The date would be stored in $user.expiresOn however if you add that into $body it may not be formatted exactly like you want it to be.
So, like $messageDays you may need to format it in a new variable first.

Thank you I got it. 

Under  #Set Greeting Message 
add: $ExpiryTime = $user.ExpiresOn

Call in the email template.

I have updated variables but script doesn't seem to work.  For examplee:
 [string]$smtpServer = "smtp.ourserver.com",
but when I run the script manually .\script.ps1 I'm getting prompted for smtp, daystoexpired, and a few other items.

What am I doing wrong?

I see examples, note Darren Brinksneader comments were you call PS and pass variables so I'm a little confused.

Any pointers would be greatly appreciated.

Have a look at this video, https://www.youtube.com/watch?v=eLo5sylezA0

Thank you for this great script!
To prevent sending mail to the -reportTo parameter mail address (likely to be IT Support) when there is no user with expiring password within time limits set, I have added an exit when $notifyCount = 0:

...
Write-Output "$notifyCount Users with expiring passwords within $expireInDays Days"
If ($notifyCount -eq 0)
	{	"No users need to be notified, exit script to prevent status mail to IT Support"
		Exit
	}
# Process notifyusers
...

Hi,

I've been using this script for quite some time and is awesome. It's a relief to our Helpdesk Team, but I need to add an attach to the users with some information and I can't figure out the way.

Can you help me?

Thanks

PS: I'm using the Version 2.2 February 2017

Send-MailMessage has a -attachment parameter, you just enter the path of the file you want to attach.

I was putting the command in a wrong place. It's already fixed and working.

Thanks

Excellent script, thank you so much for all the hard work.  Some suggestions that might improve the functionality.

TCP/Port 587 and STARTTLS:
Some Mail Servers have been locked down to only allow for TCP Port 587.  Additionally, those mail servers may have been hardened to only allow for TLS 1.2.  The Send-MailMessage Powershell command can be adjusted to handle one of these issues - simply add the arguments '-Port 587 -UseSSL' to the Send-MailMessage command and SMTP traffic will attempt to use the STARTTLS option upon connection to the mail server.  

The other have of this problem requires an additional entry added just before making the Send-MailMessage command to force TLS 1.2 instead of the default TLS 1.0:

    [System.Net.ServicePointManager]::SecurityProtocol = 'TLS12' 

Adding that line just before the Send-MailMessage will tell PowerShell to try TLS 1.2 first.

The only other update I would suggest is to allow the script to accept a base search path using the option for 'Get-ADUser -SearchBase' - this will allow limiting the password notification to a specific set of users and not scanning the entire directory.

Again, thanks for the excellent script.

I have planned to add TLS1.2 that in the next version, appreciate the comments.

This runs great when I execute it from powershell.

I'm trying to set it up as a scheduled task using a gmsa, and I'm getting weird results.

It returns a different set of users, and I get a bunch of emails for users that have the never expire flag set. 

Any clue on what could be causing that?

Whats a GSMA?

Group managed service account.

https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

Not seen the issue before - have you delegated permissions to read the users objects?

Just to make sure I set the gmsa as a domain admin, and downloaded a clean copy of the script. 

Returned around 80 users, and it should only be about 6. So, it seems I'm getting the same issue with full control of the domain.

after I did some more playing around, this was a permission issue on the PSO.

I thought I had made sure that was okay but I guess not.

I think I'm all good.

Thanks for your time, Robert!