Password Expiry Email Notification

Hi ! This script is awesome, I use it in a production enviromnent, but since we are located in Europe we use the dd/MM/YYYY hh:ss date format, and when the script is launched, users get "01/28/2019 19:47:27" - in EN-US it's related to MM/dd/yyy. 
As I run the script in windows 2012 environment my locale is set to EN-US, don't know how to change it:
When I type:
([DateTime]::Now).ToString()

I get

25-01-19 12:00:28

Also in the script itself, I see:

$start = [datetime]::Now 

But don't know how to change the format from MM/dd/yyyy hh:ss to dd/MM/yyy hh:ss

Could you help me please ?

Regards,

Date formatting can be a pain.

You can always set it like this,

$newFormat = get-date -format dd/MM/yyyy

It is worth noting though that if you want to display it to the user in a more familiar way (dd MM yyyy) you really only need to format it at the point of display.

So if you are putting into the email body.. prior to $body set the date variable to the format you want it.

$displayDate = get-date $expiresOn -format "dd/MM/yyyy ss:mm:hh"

$body = "
Hello your password expires on $displayDate"

Hope that helps.

Great ! Thanks for help ! It's working :)

In case someone needs that, I paste here the changed code
---------------------------------------------------------------

# Email Address
    $samAccountName = $user.UserName
    $emailAddress = $user.EmailAddress
    # Set Greeting Message
    #$ExpiryTime=$user.ExpiresOn
    $displayDate = get-date $user.expiresOn -format "dd/MM/yyyy hh:mm"
    $name = $user.Name
    $messageDays = $user.UserMessage
    # Subject Setting
    $subject="Your password will expire $messageDays"
    # Email Body Set Here, Note You can use HTML, including Images.
    # examples here https://youtu.be/iwvQ5tPqgW0 
    $body ="
    <font face=""verdana"">
    Dear $name,
    <p> Your password will expire $messageDays at $displayDate <br>
----------------------------------------------------------------------------

Regards, 

Hello,
Is there a way to add an office location Column to the Password Expiry report? Thanks!

Is that info stored in your AD?

Yes, it is under Office field of the General tab.

OK, so that would be available as $user.Office

After line 199 add this..
$userObj | Add-Member -Type NoteProperty -Name Office -Value $user.Office

I added it, ran it and did not do anything on the report.

what do you get on the report then?

Entries for all those columns and adding the line doesn't change any of this:
Username Name EmailAddress PasswordSet DaysToExpire ExpiresON SendMail

Did you add it before or after this?

# Add userObj to colusers array
    $colUsers += $userObj

After, line 199 is: $samAccountName = $user.UserName

Was that the line you were referring to when you said after line 199?

Just on a new line, after 199 should be ok.

The script works great but I get an error that says "The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Client was not authenticated"

What can I do to fix this?  This is O365 AD Hybrid server

I got it working but I did not get an email but the log file says it went through

Check the Exchange Online mail logs.

Okay thanks,

How often do you need to schedule this script to run?

As often as you like.

Hi 

 I have an issue when the emails are not being sent out to users or to test recipient. The log file says ok under send Mail and when I check status in powershell sending Email see below log file output and powershell status. Note testing was enabled for this  

UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
in 15 days.	John.dow 	John.dow 	John.dow @GG.com	2018-08-06 02:51:22 PM	15	2019-02-02 02:51:22 PM	OK


Sending Email : John.dow : it@GG.com

Check the SMTP logs of your mail server.

Hi
How can we exclude users that have never expiring password without "Neverexpirepassword" enabled? There also get emails now. Should be excluded.

Depends how they have been set with never expiring passwords?

I have OUs with
GPO password expire is 0 never expires. 
And OUs fine grained password policy with 90days expire.

Now the GPO password pol users also receive the email.

Are those users in a group or OU that could be targeted? 

What I have is 
$users = get-aduser -SearchBase "OU=Companies,DC=domain,DC=local" .........

In here I have OUs that have GPO 0 days expire or Fine grained pwd pols.
GPO accounts have like -40 days but they dont expire. Cause of the GPO and checkbox PWD expired in AD is not enabled. These users should be skipped from mailling.

 hide all 

Generalhide
Detailshide
Domain spinware.nl 
Owner SPINWARE\Domain Admins 
Created 25-2-2014 16:13:44 
Modified 24-3-2017 12:08:40 
User Revisions 0 (AD), 0 (SYSVOL) 
Computer Revisions 27 (AD), 27 (SYSVOL) 
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9} 
GPO Status Enabled 

Linkshide
Location Enforced Link Status Path 
spinware No Enabled spinware.nl 

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name 
NT AUTHORITY\Authenticated Users 

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 

Computer Configuration (Enabled)hide
Policieshide
Windows Settingshide
OUs with this GPO never expire and dont get the checkbox Expired.

Computer Configuration --> Policies --> Security Settings --> Account Policies/Password Policy --> Policy Setting 
Maximum password age 0 days 
Minimum password age 0 days 

Pasted too much info can you remove last reply of mine :)
thanks

No, im afraid i cannot delete any comments from here, only Microsoft can.

There is a question from October 11, 2018, that explains how to filter out certain OUs.

Whether I run this interactive or as a scheduled task, it is skipping the emails.  In the logfile, under the "SendMail" header, it shows "Skipped - Interval" even for those users that fall into the interval list. I see some users that have 21 and 5 days being skipped.

PowerShell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -File "C:\temp\PasswordChangeNotification.ps1" -smtpServer <SERVERNAME> -expireInDays 21 -from "<EMAILADDERSS>" -Logging -LogPath "c:\logFiles" -interval 1,2,5,10,15

Without the -interval parameter it sends a message to all users with and expiry of 21 days or less.

When you use the interval, it will only notify people whose date is set in the interval.

 -interval 1,2,5,10,15

Would be users whose password expires in 1, 2, 5, 10 or 15 days exactly.

21 days would be excluded

if someone has a value of 5 days and that is also excluded, that sounds like an error.

Can you share the log file?

In fact I'm having exaclty the same problem. Just started testing this awesome script!
For example, -exireInDays 60 and -interval 1,3,40
I know these are strange numbers, but that is because I'm testing.
The user's password expires in 40 days, but no email is sent.

Log output:
"in 40 days.","testuser","testuser",,"7-1-2019 14:21:51","40","18-2-2019 14:21:51","Skipped - Interval"

Are you also using powershell -file, rather than powershell -command ?

Yes, using -file.
It seems it does not take "1,3,40" as an array. If I use -interval 40 (single value) then it works correctly.

Logfile Output

UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:47	15	1/29/2019 14:47	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 9:36	21	2/4/2019 9:36	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 12:52	21	2/4/2019 12:52	Skipped - Interval
in 5 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/21/2018 8:12	5	1/19/2019 8:12	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 15:03	15	1/29/2019 15:03	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 20:44	21	2/4/2019 20:44	Skipped - Interval
in 10 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/26/2018 16:59	10	1/24/2019 16:59	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 15:34	21	2/4/2019 15:34	Skipped - Interval
in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 8:29	21	2/4/2019 8:29	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:15	15	1/29/2019 14:15	Skipped - Interval
in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 12:09	15	1/29/2019 12:09	Skipped - Interval

So for now, I am just setting the -expireInDays 15 and letting it setting the mail every day by removing the -interval option.

The problem was with the "-file" parameter. Somehow it does parse an array like "7,3,1".
Now I'm using this commandline which works fine:

powershell -Command PasswordExpiredNotify.ps1 -smtpServer .... -expireInDays 7 -from notify@mail.com -interval 7,3,1

The daysToExpire is not an array, its a string, so we need to split it into an array. Also we compare strings to int.

Go to the section:
        # If using interval parameter - follow this section

Change this:
            # check interval array for expiry days
            if(($interval) -Contains($daysToExpire))

To this:
            # check interval array for expiry days
            if(($interval.split(",")) -Contains($daysToExpire.toString()))

This worked for me.

I of course meant that $interval is not an array, but a string. Doh.

I think that is the case if you use -file rather than -command when launching the script.

Thank you Robert doe the great script. It is working fine for us.

We have a request to add the date and time when the password will expire. 

What do I need to change/add to the script to accomplish this?

Thank you for your work!

You can modify $body to include anything you like.
The date would be stored in $user.expiresOn however if you add that into $body it may not be formatted exactly like you want it to be.
So, like $messageDays you may need to format it in a new variable first.

Thank you I got it. 

Under  #Set Greeting Message 
add: $ExpiryTime = $user.ExpiresOn

Call in the email template.

I have updated variables but script doesn't seem to work.  For examplee:
 [string]$smtpServer = "smtp.ourserver.com",
but when I run the script manually .\script.ps1 I'm getting prompted for smtp, daystoexpired, and a few other items.

What am I doing wrong?

I see examples, note Darren Brinksneader comments were you call PS and pass variables so I'm a little confused.

Any pointers would be greatly appreciated.

Have a look at this video, https://www.youtube.com/watch?v=eLo5sylezA0

Thank you for this great script!
To prevent sending mail to the -reportTo parameter mail address (likely to be IT Support) when there is no user with expiring password within time limits set, I have added an exit when $notifyCount = 0:

...
Write-Output "$notifyCount Users with expiring passwords within $expireInDays Days"
If ($notifyCount -eq 0)
	{	"No users need to be notified, exit script to prevent status mail to IT Support"
		Exit
	}
# Process notifyusers
...

Hi,

I've been using this script for quite some time and is awesome. It's a relief to our Helpdesk Team, but I need to add an attach to the users with some information and I can't figure out the way.

Can you help me?

Thanks

PS: I'm using the Version 2.2 February 2017

Send-MailMessage has a -attachment parameter, you just enter the path of the file you want to attach.

I was putting the command in a wrong place. It's already fixed and working.

Thanks