Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

4.6 Star
81,212 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Suggested Updates
    2 Posts | Last post December 18, 2018
    • Excellent script, thank you so much for all the hard work.  Some suggestions that might improve the functionality.
      TCP/Port 587 and STARTTLS:
      Some Mail Servers have been locked down to only allow for TCP Port 587.  Additionally, those mail servers may have been hardened to only allow for TLS 1.2.  The Send-MailMessage Powershell command can be adjusted to handle one of these issues - simply add the arguments '-Port 587 -UseSSL' to the Send-MailMessage command and SMTP traffic will attempt to use the STARTTLS option upon connection to the mail server.  
      The other have of this problem requires an additional entry added just before making the Send-MailMessage command to force TLS 1.2 instead of the default TLS 1.0:
          [System.Net.ServicePointManager]::SecurityProtocol = 'TLS12' 
      Adding that line just before the Send-MailMessage will tell PowerShell to try TLS 1.2 first.
      The only other update I would suggest is to allow the script to accept a base search path using the option for 'Get-ADUser -SearchBase' - this will allow limiting the password notification to a specific set of users and not scanning the entire directory.
      Again, thanks for the excellent script.
    • I have planned to add TLS1.2 that in the next version, appreciate the comments.
  • Scheduled task not working correctly.
    6 Posts | Last post December 18, 2018
    • This runs great when I execute it from powershell.
      I'm trying to set it up as a scheduled task using a gmsa, and I'm getting weird results.
      It returns a different set of users, and I get a bunch of emails for users that have the never expire flag set. 
      Any clue on what could be causing that?
    • Whats a GSMA?
    • Group managed service account.
    • Not seen the issue before - have you delegated permissions to read the users objects?
    • Just to make sure I set the gmsa as a domain admin, and downloaded a clean copy of the script. 
      Returned around 80 users, and it should only be about 6. So, it seems I'm getting the same issue with full control of the domain.
    • after I did some more playing around, this was a permission issue on the PSO.
      I thought I had made sure that was okay but I guess not.
      I think I'm all good.
      Thanks for your time, Robert! 
  • Keep sending email to expired accounts
    2 Posts | Last post December 12, 2018
    • Is there a way to configure the script so it will continue to send emails even after the password has already expired (so days to expire is in the negatives)?
      Obviously the fact that the account has an expired password and is able to remain in that state without it changing is an issue of its own, however before we can make the change I was hoping to setup some 'nagging' for users to change their passwords.
    • Once it has expired a user would not be able to login, so the system would nag them itself.
  • only 10 email sent
    4 Posts | Last post December 11, 2018
    • i'm testing the script; in the log is reported that 17 users are notified, but only for the first 10 entries in the log i receive an email.
    • What does the console show if you run it manually, are you using -interval?
    • Hi Robert, 
      At the moment there are 15 expiring password.
      if use -interval 1,2,3,...,21 i receive all the expected emails.
      if don't use it only ten are sent.
      No differences in the console output between the two commands (apart from the selected intervals, obviously).
      If i use the -status switch (without -interval) it reports that all 15 emails are sent.
    • i found the problem.. sorry, it's my email server that refuse connections sending more then ten email together.
  • Fine Grained Password Policies
    5 Posts | Last post November 29, 2018
    • Hello,
      Hi Robert, 
      It looks like, it doesn't work, when using Fine Grained Password Policies.
      I get the error message :
      Get-AduserResultantPasswordPolicy : Impossible de trouver un objet avec l'identité «
      CN=PWD_DURCIE_AVEC_RENOUV_AUTO,CN=Password Settings Container,CN=System,DC=xxx,DC=xxx» sous: «DC=xxx,DC=xxx».
      Au caractère C:\scripts\Notification_expiration_pwd.ps1:153 : 21
      for each account.
      Is there something to do to make it work ?
      Thanks for your help.
    • Is it possible this is a language issue?
      the script is just using the Get-ADUserResultantPasswordPolicy cmdlet, it has worked fine in my testing of FGP.
      What version of the script are you using - my line 153 is above the FGP section.
    • I'm using version : Version 2.9 August 2018
      Line 153 : $PasswordPol = (Get-AduserResultantPasswordPolicy $user) 
    • ok thats fine.
      if you run that command in a normal PS window, what result do you get?
    • i ran the script on another PC, and it works fine.
      I don't understand why,... but the most important is :it's ok !
      Thanks for your help
  • Scheduled Task Error
    2 Posts | Last post November 28, 2018
    • Hey Everyone,
      I'm trying to set this up as a scheduled task however it's not running.  I can c/p the code into a normal ps prompt and I keep getting The '<' operator is reserved for future use.
      It's flagging on the from argument with the IT Support <> 
      Any ideas?
    • that should be in quotes.
  • Powershell Script - Assigning Values
    2 Posts | Last post November 27, 2018
    • Hey Everyone,
      I'm testing out this script and I'm having issues assigning values to these variables below from inside the script. Could anyone let me know where this needs to go inside the script so I don't get prompted for the values when the powershell script runs? 
      Thank you!
    • You don't set them inside the script (ideally)
      You set them as parameters,
      .\myscript.ps1 -smtpserver xxxx -expireindays xx -interval 1,2,3
  • Include and exclude multiple OU's
    2 Posts | Last post November 27, 2018
    • Hi,
      Let's say that I have 20 different OU's with user but I only want to send the email notification to users in 9 of them. What's the easiest way to do that?
      Thanks for you help
    • Does that mean you dont want to check the other OUs at all? or you want those logged but not emailed?
  • Issues with Task Scheduler
    7 Posts | Last post November 20, 2018
    • Hi, I am trying to get this to work on one of our customers systems and I have managed to run the script manually however I can't seem to automate it via Task Scheduler. I have followed your video, applied the delegation to the OU etc.
      This is my current setup for the task:
      Start a program: Powershell.exe
      Arguments: -command "'C:\PS\PasswordChangeNotification.ps1' -smtpServer -expireInDays 4 -from 'Administrator <>' -logging -logPath 'C:\PS\Log Files' -testing $true -testRecipient"
      It's set to expire in 4 days during testing and I've tried it with and without $true after testing.
      If I try and manually run, it says the job completes in the task scheduler, but no emails are sent to the test account and nor is a log file created.
      Any ideas?
    • Can you try it like this instead,
      'C:\PS\PasswordChangeNotification.ps1 -smtpServer -expireInDays 4 -from "Administrator <>" -logging -logPath "C:\PS\Log Files" -testing -testRecipient'
    • Hi, I've put in the above within the arguments but sadly still no emails sending/log file.
      I'm not sure if this makes a difference but I'm using Server 2012 R2 and using the built in domain administrator account.
    • Load an elevated CMD. 
      Then run powershell.exe -command 'C:\PS\PasswordChangeNotification.ps1 -smtpServer -expireInDays 4 -from "Administrator <>" -logging -logPath "C:\PS\Log Files" -testing -testRecipient'
      what happens?
    • Hi, I ran from an elevated CMD and this is what I get:
      The first time I put the entire syntax in and after pressing enter, it doubles it as you can see from the screenshot like it's ran the command but no output results.
      I then loaded the powershell first and tried running it, but mentions that -Command is incorrect.
      Finally I removed the -command and after pressing enter, it doubles the syntax like the command has happened without error but still no output result. It's bizarre.
      I know it works because I've run it via Powershell ISE which then asks me for the SMTP server, who to send it from and expiry days. 
      Just to double check, once I downloaded the script, I just leave it within the folder and I don't need to make any changes in the script as that's what the arguments are for?
      Sorry, very new to powershell so learning as a go along!
    • You may need to right click the file downloaded, go to properties and unblock it.
      -command would be incorrect at that point because you have already loaded PowerShell.
      Using Powershell.exe -command "..." tells powershell to load, and what command to execute.
      If you are already in PowerShell you can substitute -command for .\ which tells PowerShell to execute the file.
      Ideally you would navigate to that folder before launching the command.
      cd c:\ps <enter>
      .\PasswordChangeNotification.ps1 -etcetc
    • I solved it running directly, without the "-command" Flag. The action ends up like this:
      powershell.exe C:\\PasswordChangeNotification.ps1 -expireInDays 7 -logging -logPath C:\Scripts\ -testing -testRecipient -status
      (i didnt expecify some because i set them inside the script)
  • The smtp server requires a secure connection
    3 Posts | Last post November 16, 2018
    • Hi Robert,
      Great script, this is exactly what I was looking for. I have everything configured to my needs except for the mailing part (the most important part). I have watched your YouTube video about smtp authentication, however it still doesn’t explain how to use a secure connection. I keep getting "The smtp server requires a secure connection" from my log. I’ve tried this with a local domain relay (which requires TLS), Office 365 and Gmail.
      I’ve seen many questions about this problem in this very Q and A, but no real solutions to the problem, just different ways to go around it. So, my question is, how can I make the script use TLS?
      Really looking forward to your reply, I feel like this can help a lot of other people as well.
      Kind regards,
    • As i am not in control of third party mail servers, it is difficult to give a definitive answer.
      From a Windows 10 machine, this command allowed me to send authenticated SMTP via Office 365,
      Send-MailMessage -SmtpServer $smtpServer -From $from -To $to -Subject $subject -Body $body -Credential $cred -Port 587  -UseSsl
      The same command allowed me to send via gmail as well.
    • You can also adjust the TLS version you are using by adding this before the Send-MailMessage command,
      # For 1.2
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
      # For 1.1
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11
      # For 1.0
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls
71 - 80 of 536 Items