Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days. I have now moved it to GitHub -

4.6 Star
94,386 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Exclude accounts that are -xxxx days
    9 Posts | Last post January 17, 2019
    • Hi
      How can we exclude users that have never expiring password without "Neverexpirepassword" enabled? There also get emails now. Should be excluded.
    • Depends how they have been set with never expiring passwords?
    • I have OUs with
      GPO password expire is 0 never expires. 
      And OUs fine grained password policy with 90days expire.
      Now the GPO password pol users also receive the email.
    • Are those users in a group or OU that could be targeted? 
    • What I have is 
      $users = get-aduser -SearchBase "OU=Companies,DC=domain,DC=local" .........
      In here I have OUs that have GPO 0 days expire or Fine grained pwd pols.
      GPO accounts have like -40 days but they dont expire. Cause of the GPO and checkbox PWD expired in AD is not enabled. These users should be skipped from mailling.
    •  hide all 
      Owner SPINWARE\Domain Admins 
      Created 25-2-2014 16:13:44 
      Modified 24-3-2017 12:08:40 
      User Revisions 0 (AD), 0 (SYSVOL) 
      Computer Revisions 27 (AD), 27 (SYSVOL) 
      Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9} 
      GPO Status Enabled 
      Location Enforced Link Status Path 
      spinware No Enabled 
      This list only includes links in the domain of the GPO.
      Security Filteringhide
      The settings in this GPO can only apply to the following groups, users, and computers:Name 
      NT AUTHORITY\Authenticated Users 
      These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
      NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
      NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 
      Computer Configuration (Enabled)hide
      Windows Settingshide
      OUs with this GPO never expire and dont get the checkbox Expired.
      Computer Configuration --> Policies --> Security Settings --> Account Policies/Password Policy --> Policy Setting 
      Maximum password age 0 days 
      Minimum password age 0 days 
    • Pasted too much info can you remove last reply of mine :)
    • No, im afraid i cannot delete any comments from here, only Microsoft can.
    • There is a question from October 11, 2018, that explains how to filter out certain OUs.
  • "Skipped - Interval"
    12 Posts | Last post January 15, 2019
    • Whether I run this interactive or as a scheduled task, it is skipping the emails.  In the logfile, under the "SendMail" header, it shows "Skipped - Interval" even for those users that fall into the interval list. I see some users that have 21 and 5 days being skipped.
      PowerShell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -File "C:\temp\PasswordChangeNotification.ps1" -smtpServer <SERVERNAME> -expireInDays 21 -from "<EMAILADDERSS>" -Logging -LogPath "c:\logFiles" -interval 1,2,5,10,15
    • Without the -interval parameter it sends a message to all users with and expiry of 21 days or less.
    • When you use the interval, it will only notify people whose date is set in the interval.
       -interval 1,2,5,10,15
      Would be users whose password expires in 1, 2, 5, 10 or 15 days exactly.
      21 days would be excluded
      if someone has a value of 5 days and that is also excluded, that sounds like an error.
      Can you share the log file?
    • In fact I'm having exaclty the same problem. Just started testing this awesome script!
      For example, -exireInDays 60 and -interval 1,3,40
      I know these are strange numbers, but that is because I'm testing.
      The user's password expires in 40 days, but no email is sent.
      Log output:
      "in 40 days.","testuser","testuser",,"7-1-2019 14:21:51","40","18-2-2019 14:21:51","Skipped - Interval"
    • Are you also using powershell -file, rather than powershell -command ?
    • Yes, using -file.
      It seems it does not take "1,3,40" as an array. If I use -interval 40 (single value) then it works correctly.
    • Logfile Output
      UserMessage	UserName	Name	EmailAddress	PasswordSet	DaysToExpire	ExpiresOn	SendMail
      in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:47	15	1/29/2019 14:47	Skipped - Interval
      in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 9:36	21	2/4/2019 9:36	Skipped - Interval
      in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 12:52	21	2/4/2019 12:52	Skipped - Interval
      in 5 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/21/2018 8:12	5	1/19/2019 8:12	Skipped - Interval
      in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 15:03	15	1/29/2019 15:03	Skipped - Interval
      in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 20:44	21	2/4/2019 20:44	Skipped - Interval
      in 10 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/26/2018 16:59	10	1/24/2019 16:59	Skipped - Interval
      in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 15:34	21	2/4/2019 15:34	Skipped - Interval
      in 21 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	11/6/2018 8:29	21	2/4/2019 8:29	Skipped - Interval
      in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 14:15	15	1/29/2019 14:15	Skipped - Interval
      in 15 days.	<hidden>	<hidden>	<hidden>@<emailaddress>.org	10/31/2018 12:09	15	1/29/2019 12:09	Skipped - Interval
    • So for now, I am just setting the -expireInDays 15 and letting it setting the mail every day by removing the -interval option.
    • The problem was with the "-file" parameter. Somehow it does parse an array like "7,3,1".
      Now I'm using this commandline which works fine:
      powershell -Command PasswordExpiredNotify.ps1 -smtpServer .... -expireInDays 7 -from -interval 7,3,1
    • The daysToExpire is not an array, its a string, so we need to split it into an array. Also we compare strings to int.
      Go to the section:
              # If using interval parameter - follow this section
      Change this:
                  # check interval array for expiry days
                  if(($interval) -Contains($daysToExpire))
      To this:
                  # check interval array for expiry days
                  if(($interval.split(",")) -Contains($daysToExpire.toString()))
      This worked for me.
    • I of course meant that $interval is not an array, but a string. Doh.
    • I think that is the case if you use -file rather than -command when launching the script.
  • Add the date and time when expiring in the email
    3 Posts | Last post January 12, 2019
    • Thank you Robert doe the great script. It is working fine for us.
      We have a request to add the date and time when the password will expire. 
      What do I need to change/add to the script to accomplish this?
      Thank you for your work!
    • You can modify $body to include anything you like.
      The date would be stored in $user.expiresOn however if you add that into $body it may not be formatted exactly like you want it to be.
      So, like $messageDays you may need to format it in a new variable first.
    • Thank you I got it. 
      Under  #Set Greeting Message 
      add: $ExpiryTime = $user.ExpiresOn
      Call in the email template.
  • PS Newbie Question
    2 Posts | Last post January 10, 2019
    • I have updated variables but script doesn't seem to work.  For examplee:
       [string]$smtpServer = "",
      but when I run the script manually .\script.ps1 I'm getting prompted for smtp, daystoexpired, and a few other items.
      What am I doing wrong?
      I see examples, note Darren Brinksneader comments were you call PS and pass variables so I'm a little confused.
      Any pointers would be greatly appreciated.
    • Have a look at this video,
  • Prevent sending mail to IT Support when no user has expiring password
    1 Posts | Last post January 05, 2019
    • Thank you for this great script!
      To prevent sending mail to the -reportTo parameter mail address (likely to be IT Support) when there is no user with expiring password within time limits set, I have added an exit when $notifyCount = 0:
      Write-Output "$notifyCount Users with expiring passwords within $expireInDays Days"
      If ($notifyCount -eq 0)
      	{	"No users need to be notified, exit script to prevent status mail to IT Support"
      # Process notifyusers
  • Attaching a file to the sender email
    3 Posts | Last post January 04, 2019
    • Hi,
      I've been using this script for quite some time and is awesome. It's a relief to our Helpdesk Team, but I need to add an attach to the users with some information and I can't figure out the way.
      Can you help me?
      PS: I'm using the Version 2.2 February 2017
    • Send-MailMessage has a -attachment parameter, you just enter the path of the file you want to attach.
    • I was putting the command in a wrong place. It's already fixed and working.
  • Suggested Updates
    2 Posts | Last post December 18, 2018
    • Excellent script, thank you so much for all the hard work.  Some suggestions that might improve the functionality.
      TCP/Port 587 and STARTTLS:
      Some Mail Servers have been locked down to only allow for TCP Port 587.  Additionally, those mail servers may have been hardened to only allow for TLS 1.2.  The Send-MailMessage Powershell command can be adjusted to handle one of these issues - simply add the arguments '-Port 587 -UseSSL' to the Send-MailMessage command and SMTP traffic will attempt to use the STARTTLS option upon connection to the mail server.  
      The other have of this problem requires an additional entry added just before making the Send-MailMessage command to force TLS 1.2 instead of the default TLS 1.0:
          [System.Net.ServicePointManager]::SecurityProtocol = 'TLS12' 
      Adding that line just before the Send-MailMessage will tell PowerShell to try TLS 1.2 first.
      The only other update I would suggest is to allow the script to accept a base search path using the option for 'Get-ADUser -SearchBase' - this will allow limiting the password notification to a specific set of users and not scanning the entire directory.
      Again, thanks for the excellent script.
    • I have planned to add TLS1.2 that in the next version, appreciate the comments.
  • Scheduled task not working correctly.
    6 Posts | Last post December 18, 2018
    • This runs great when I execute it from powershell.
      I'm trying to set it up as a scheduled task using a gmsa, and I'm getting weird results.
      It returns a different set of users, and I get a bunch of emails for users that have the never expire flag set. 
      Any clue on what could be causing that?
    • Whats a GSMA?
    • Group managed service account.
    • Not seen the issue before - have you delegated permissions to read the users objects?
    • Just to make sure I set the gmsa as a domain admin, and downloaded a clean copy of the script. 
      Returned around 80 users, and it should only be about 6. So, it seems I'm getting the same issue with full control of the domain.
    • after I did some more playing around, this was a permission issue on the PSO.
      I thought I had made sure that was okay but I guess not.
      I think I'm all good.
      Thanks for your time, Robert! 
  • Keep sending email to expired accounts
    2 Posts | Last post December 12, 2018
    • Is there a way to configure the script so it will continue to send emails even after the password has already expired (so days to expire is in the negatives)?
      Obviously the fact that the account has an expired password and is able to remain in that state without it changing is an issue of its own, however before we can make the change I was hoping to setup some 'nagging' for users to change their passwords.
    • Once it has expired a user would not be able to login, so the system would nag them itself.
  • only 10 email sent
    4 Posts | Last post December 11, 2018
    • i'm testing the script; in the log is reported that 17 users are notified, but only for the first 10 entries in the log i receive an email.
    • What does the console show if you run it manually, are you using -interval?
    • Hi Robert, 
      At the moment there are 15 expiring password.
      if use -interval 1,2,3,...,21 i receive all the expected emails.
      if don't use it only ten are sent.
      No differences in the console output between the two commands (apart from the selected intervals, obviously).
      If i use the -status switch (without -interval) it reports that all 15 emails are sent.
    • i found the problem.. sorry, it's my email server that refuse connections sending more then ten email together.
71 - 80 of 542 Items