Password Expiry Email Notification

I get prompted to enter the parameters each time I run. Is there something I am missing?  

  # $smtpServer Enter Your SMTP Server Hostname or IP Address
    [Parameter(Mandatory=$True,Position=0)]
    [ValidateNotNull()]
    [string]$smtpServer= "NSG-EX16.nsgdm.local",
    # Notify Users if Expiry Less than X Days
    [Parameter(Mandatory=$True,Position=1)]
    [ValidateNotNull()]
    [int]$expireInDays = "14",
    # From Address, eg "IT Support <support@domain.com>"
    [Parameter(Mandatory=$True,Position=2)]
    [ValidateNotNull()]
    [string]$from = "NSG-INC Administrator <Administrator@NSG-INC.com",
    [Parameter(Position=3)]
    [switch]$logging,
    # Log File Path
    [Parameter(Position=4)]
    [string]$logPath,
    # Testing Enabled
    [Parameter(Position=5)]
    [switch]$testing ="Enabled",
    # Test Recipient, eg recipient@domain.com
    [Parameter(Position=6)]
    [string]$testRecipient = "lanrmadm@NSG-INC.com",
    # Output more detailed status to console
    [Parameter(Position=7)]
    [switch]$status,
    # Log file recipient
    [Parameter(Position=8)]
    [string]$reportto,
    # Notification Interval
    [Parameter(Position=9)]
    [array]$interval

In a word, yes.
https://www.youtube.com/watch?v=xbzxWOarVuk

So I have watched the video on SMTP Authentication, and I have followed exactly. Generated the SecureString text file and reconfigured the script accordingly. However when I run the command no emails happen. I get this error: 

"Cannot process argument transformation on parameter 'Credential'. Access is denied"

I am not sure what I am doing wrong to get this access denied and where the access is being denied at. Any help is appreciated. 

Thanks!
Jason 

Are you able to create the credential object separately from the script?

$savedString = "<path to saved password>"
$pass = Get-Content $savedString | ConvertTo-SecureString
$username = "my user name"
$cred = New-Object System.Management.Automation.PSCredential($username,$pass)

If you use that, what happens?

@RobertPearman -

I copied that into the script and commented out the original Secure Password section and re-ran as a task and was still presented the same error. I did take the domain name out for some security.

"in 50 days.","Admin","Admin","Admin@MYDOMAIN.com","1/3/2019 9:25:21 AM","50","4/3/2019 9:25:21 AM","Cannot process argument transformation on parameter 'Credential'. Access is denied"

Some other information that might be helpful is that I am running version 2.9 (August 2018) of the script, and that I have done little to no customization to the script other than the Email Body in it. 

One thing that I did notice when I just googled the error before asking in thread here (yes I know Googling isn't always helpful) is that with PowerShell 5.0 and above that the Credential flag works differently or not at all. Maybe that could be a cause? 

Here is my PowerShell version running on Windows Server 2012 R2 is: 

PS C:\Windows\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      14409  1005


If you like Robert, I can share my email with you and we can take this off thread if you prefer and I can share anything needed to help troubleshoot...

https://windowsserveressentials.com/support

Thanks - sent you an email via that direction with mine - look forward to working with you!

For this script , i tried with testing. After testing is done. I want to send it to the end users. So i disabled the Testing. after i ran the script, the email is not sending to the end users, its sending to the test receipt. Please help me. Thank you. 

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

Script is working great, automates out through scheduled task just fine.  Only problem I am having appears to be the output email.  I have it set to begin deliverying notifications 14 days out from expiration.  When looking at the DaysToExpire column in the log it reflects negative numerical values and appears to be delivering "Your password will expire" instead of "Your password will expire in X days".  Whats the best way to go about resolving that?

Negative values usually suggest an issue with the password policy, ie that the user has not changed their password since the policy was applied.

But if you want to avoid negative values in the email notifications, you can add a section to the notification  around like 213, and enclose everything else inside that.

foreach ($user in $notifyusers)
{
if(($user.DaysToExpire) -gt 0 )
{
# put the rest of the notification in here
}
}

}

So the problem is avoiding sending to negative values period.  Right now I have people who set their passwords recently and are still getting notified.  Also looks like line 213 would be in the middle of the message body.  Here is a link to a cap of the log that reflects that behavior: https://1drv.ms/u/s!AoW4K425h7VNh_htcxDi-22cMa7dbQ

Sorry im looking at my development one, not the current version you have.
 
211 # Process notifyusers
212 foreach ($user in $notifyUsers)
213 {

Do you have multiple DCs in your environment? Im wondering if it is running get-aduser against a different DC and getting a different result on the pwdlastset value.

I think to try and troubleshoot that you would need to pick a user who has this issue, then work out what the script is doing at each stage.

$defaultMaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days 
$user = Get-AdUser troubleUser -properties *
$pwdLastSet = $user.PasswordLastSet
$maxPasswordAge = $defaultMaxPasswordAge
$PasswordPol = (Get-AduserResultantPasswordPolicy $user) 
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge.Days
}
$expireson = $pwdLastSet.AddDays($maxPasswordAge)
$daysToExpire = New-TimeSpan -Start $today -End $Expireson
$expiresOn
$daysToExpire

That should give you the same value the script has when it runs.    

Thanks for the reply, multiple DC's in play.  Will take that new info back to the drawing board.

I would expect that attribute to be fully replicated to all DCs (essentially, or pulled out of a GC etc) and i just compared a couple of multi dc environments and they all appear to show the same dates, still, am interested to hear what you find.

Does this error message indicate the server is not an Admin Server?
The script works perfectly, but my output log indicates "Unable to connect to the remote server". Nor am I receiving the test email. 

Could you please help?

Thank you!

Looks like an invalid SMTP server address.

Hi ! This script is awesome, I use it in a production enviromnent, but since we are located in Europe we use the dd/MM/YYYY hh:ss date format, and when the script is launched, users get "01/28/2019 19:47:27" - in EN-US it's related to MM/dd/yyy. 
As I run the script in windows 2012 environment my locale is set to EN-US, don't know how to change it:
When I type:
([DateTime]::Now).ToString()

I get

25-01-19 12:00:28

Also in the script itself, I see:

$start = [datetime]::Now 

But don't know how to change the format from MM/dd/yyyy hh:ss to dd/MM/yyy hh:ss

Could you help me please ?

Regards,

Date formatting can be a pain.

You can always set it like this,

$newFormat = get-date -format dd/MM/yyyy

It is worth noting though that if you want to display it to the user in a more familiar way (dd MM yyyy) you really only need to format it at the point of display.

So if you are putting into the email body.. prior to $body set the date variable to the format you want it.

$displayDate = get-date $expiresOn -format "dd/MM/yyyy ss:mm:hh"

$body = "
Hello your password expires on $displayDate"

Hope that helps.

Great ! Thanks for help ! It's working :)

In case someone needs that, I paste here the changed code
---------------------------------------------------------------

# Email Address
    $samAccountName = $user.UserName
    $emailAddress = $user.EmailAddress
    # Set Greeting Message
    #$ExpiryTime=$user.ExpiresOn
    $displayDate = get-date $user.expiresOn -format "dd/MM/yyyy hh:mm"
    $name = $user.Name
    $messageDays = $user.UserMessage
    # Subject Setting
    $subject="Your password will expire $messageDays"
    # Email Body Set Here, Note You can use HTML, including Images.
    # examples here https://youtu.be/iwvQ5tPqgW0 
    $body ="
    <font face=""verdana"">
    Dear $name,
    <p> Your password will expire $messageDays at $displayDate <br>
----------------------------------------------------------------------------

Regards, 

Hello,
Is there a way to add an office location Column to the Password Expiry report? Thanks!

Is that info stored in your AD?

Yes, it is under Office field of the General tab.

OK, so that would be available as $user.Office

After line 199 add this..
$userObj | Add-Member -Type NoteProperty -Name Office -Value $user.Office

I added it, ran it and did not do anything on the report.

what do you get on the report then?

Entries for all those columns and adding the line doesn't change any of this:
Username Name EmailAddress PasswordSet DaysToExpire ExpiresON SendMail

Did you add it before or after this?

# Add userObj to colusers array
    $colUsers += $userObj

After, line 199 is: $samAccountName = $user.UserName

Was that the line you were referring to when you said after line 199?

Just on a new line, after 199 should be ok.

The script works great but I get an error that says "The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Client was not authenticated"

What can I do to fix this?  This is O365 AD Hybrid server

I got it working but I did not get an email but the log file says it went through

Check the Exchange Online mail logs.

Okay thanks,

How often do you need to schedule this script to run?

As often as you like.

Hi 

 I have an issue when the emails are not being sent out to users or to test recipient. The log file says ok under send Mail and when I check status in powershell sending Email see below log file output and powershell status. Note testing was enabled for this  

UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
in 15 days.	John.dow 	John.dow 	John.dow @GG.com	2018-08-06 02:51:22 PM	15	2019-02-02 02:51:22 PM	OK


Sending Email : John.dow : it@GG.com

Check the SMTP logs of your mail server.