Password Expiry Email Notification

This script will email a user in the event that their password is due to expire in X number of days.

 
 
 
 
 
4.6 Star
(153)
81,314 times
Add to favorites
Active Directory
8/7/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • The smtp server requires a secure connection
    3 Posts | Last post November 16, 2018
    • Hi Robert,
      
      Great script, this is exactly what I was looking for. I have everything configured to my needs except for the mailing part (the most important part). I have watched your YouTube video about smtp authentication, however it still doesn’t explain how to use a secure connection. I keep getting "The smtp server requires a secure connection" from my log. I’ve tried this with a local domain relay (which requires TLS), Office 365 and Gmail.
      
      I’ve seen many questions about this problem in this very Q and A, but no real solutions to the problem, just different ways to go around it. So, my question is, how can I make the script use TLS?
      
      Really looking forward to your reply, I feel like this can help a lot of other people as well.
      
      Kind regards,
      Sebastiaan
      
    • As i am not in control of third party mail servers, it is difficult to give a definitive answer.
      
      From a Windows 10 machine, this command allowed me to send authenticated SMTP via Office 365,
      
      Send-MailMessage -SmtpServer $smtpServer -From $from -To $to -Subject $subject -Body $body -Credential $cred -Port 587  -UseSsl
      
      The same command allowed me to send via gmail as well.
    • You can also adjust the TLS version you are using by adding this before the Send-MailMessage command,
      # For 1.2
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
      # For 1.1
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11
      # For 1.0
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls
  • Gmail authentication
    2 Posts | Last post November 09, 2018
    • Hi there Robert,
      
      This scrips is amazing imo but I'm having a small problem with it.
      I'd really like to use this with my gmail account and I followed your SMTP-Auth tutorial.
      I just keep getting the "the smtp server requires a secure connection or the client was not authenticated". 
      Could this be because I'm using 2factor authentication on my gmail account?
      
      Looking forward to your reply!
      
      Kind regards,
      Sander 
    • Yes i expect so.
      
      You can create an App password in gmail to use with smtp authentication.
      
      https://support.google.com/accounts/answer/185833?hl=en
  • Time to be run?
    2 Posts | Last post November 01, 2018
    • thank you
      
      is this run as a one time event or do you need to run it each time you want the email to be sent?
      
      If so do people setup a scheduled task ?
    • I run it as a scheduled task three times a week.
  • New to This
    2 Posts | Last post October 30, 2018
    • I am sorry to bother you, This is a great script, but we have set up an Exchange Server In-House and have many shared Mailboxes, this are all Disabled Accounts but the script emails them saying your password is due to Expire.
      I cannot Exempt an OU as each Shared Mailbox is in the OU for each Sub Site, Can I get this script to ignore Disabled Accounts.
    • On line 132 it should be filtering out accounts that are disabled.
      
      get-aduser -filter {(Enabled -eq $true)...}
      
      Which version are you using, have you made changes to it?
  • Parameters Dont Matter
    2 Posts | Last post October 29, 2018
    • Robert, thanks so much for making this available!
      
      I have enjoyed working with this to get it to work.
      
      # Please Configure the following variables....
      $smtpServer="xxx02.xxx.com"
      $expireindays = 21
      $interval = 1,2,5,10
      $from = "Password Reset Notification <support@xxxx.com>"
      $logging = "Enabled" # Set to Disabled to Disable Logging
      $logFile = "\\cccccc\cccccccc\mylog.csv" # ie. c:\mylog.csv
      $reportto = "bxxxxr@xxxx.com"
      $testing = "Disabled" # Set to Disabled to Email Users
      $testRecipient = "asdkljfhn@ccccc.com"
      
      I am testing the code and have run it in test mode many times.  Once I get it to work in testing I modify the parameters for real-time.  The new modifications are not working.
      
      1. The log file is not going to a new path I specified
      2. The server thinks testing is still enabled because my test account is getting the email.
      
      I have noticed this on-off with other parameters and I am, honestly, clueless, why the new changes are not being implemented in the code.
      
      Thanks for your help!  Always!!
      
      -Jason
    • Which version of the script are you using?
      
      You should not set the values of the variables inside the script itself.
  • Exclude an OU?
    2 Posts | Last post October 11, 2018
    • Hello,
      
      I've been using this great script for over a year - once again, great work. I have an OU that i'd like to exclude from the script. Is it possible to do this instead of specifying multiple OUs in the -searchbase?
    • Excluding a single OU is possibly, if a little convoluted.
      
      If you add CanonicalName to the -properties section of Get-AdUser, this will collect everyones CanonicalName, which, if you did not know, is the path to the user object in AD. (we could also use a distinguishedname)
      
      now, somewhere near the top lets say line 139 add in,
      
      $excludeOU = @("mydomain.domain.com/OU/OU/")
      
      where that is the path to the OU you want to exclude, leave the trailing "/".
      
      At line 178 we then need to add in a bit of script to collect the users OU and add it to the $userObj.
      
      $userCanon = $user.CanonicalName.Replace($user.Name,"")
      
      then line 184
      
      if(($excludeOU) -contains $userCanon)
      {
      # Skip User
      }
      else
      {
      $colUsers += $userObj
      }
      
      
      I have not tested this, and this won't do anything like log the exclusions, or even output anything to the colsole, but it should be enough to skip an OU.
      
      
      
      
  • Emails not sending to Users
    2 Posts | Last post October 11, 2018
    • Hello,
      
      Script has been running perfect for over a year. I have it running via a task scheduler and recently it stopped working due to the scheduler running off an account that had the password expire.
      
       I have the scheduler working again, but now the script won't send emails to users. Though the testing attribute does work and it sends email to me that way.
      
      So it seems to work in all aspects except sending the emails. I also confirmed there are no emails being sent out and blocked or sent to junk mail.
      
      Would anyone be able to help? Much appreciated! 
    • Does the account sending email need authentication? Did you update the credential for that account?
  • Little Problem
    4 Posts | Last post October 11, 2018
    • Hi,
      
      Thanks for this script ! 
      
      I have something wrong using it : All my user are logged as "Skipped - Interval" even if they are in the good interval ! This is my CMD : 
      
      Powershell.exe -executionpolicy remotesigned -File C:\Scripts\PasswordChangeNotification.ps1 -smtpServer mail.blablabla.fr -expireInDays 10 -from "Support <support@blablabla.com>" -interval 1,2,3,10 -Logging -LogPath "c:\scripts\logs" -testing -testRecipient bla@blablabla.com
      
      And a log : 
      
      "in 10 days.","blabla","BLA bla","blabla@blabla.com","13/08/2018 09:36:11","10","12/10/2018 09:36:11","Skipped - Interval"
      "in 3 days.","blabla","BLA bla","blabla@blabla.com","06/08/2018 12:01:45","3","05/10/2018 12:01:45","Skipped - Interval"
      
      
      Thanks a lot ! 
    • Instead of -file, use -command
    • Hi Robert, 
      when i use - command , will get the result (0X1)
      if i use -file, same case as AlfredIT , the log will show all email skipped.
      Thanks,
      
    • Check out this video.
      https://www.youtube.com/watch?v=3ia-cJbf5Ng
      
      You need to put everything inside quotes after -command.
      
      Command:
      Powershell.exe
      
      Arguments:
      "-executionpolicy remotesigned -command C:\Scripts\PasswordChangeNotification.ps1 -smtpServer mail.blablabla.fr -expireInDays 10 -from 'Support <support@blablabla.com>' -interval 1,2,3,10 -Logging -LogPath "c:\scripts\logs" -testing -testRecipient bla@blablabla.com -interval 1,3,7,9"
      
  • Your scipt in task schedule problem
    1 Posts | Last post October 05, 2018
    • Good day,
      I am now having a problem to deploy on a task schedule, 
      the arguments space have limitation, so i can't input all the parameter,
      
      -NoProfile -ExecutionPolicy Unrestricted -File "D:\.\PwNotice.ps1 -smtpServer XXX.XXX.XXX.XXX -expireInDays 7 -from "IT Support <CGIPW_EXPIRY@XXXXXXXXXXXXXXXXX.com.hk>" -Logging -LogPath "D:\logFiles" -reportTo ITMAILMAIL@XXXXXXXXXXXXXX.com.hk -interval 1,2,3,5,7
      
      Kindly help & let me know how to fix this problem? 
      
      Thanks a lot.
      
      
       
  • Rename CSV column name
    3 Posts | Last post October 04, 2018
    • Hi Robert,
      
      I think it's a bit difficult to adjust the datetime format, so instead I'm just trying to add MM/DD/YYYY to the column name or description, so that the users can read the date properly.
      
      I tried to modify with this line
      
      $notifiedUsers | select UserName,Name,EmailAddress,PasswordSet,DaysToExpire,ExpiresOn | sort DaystoExpire | FT -autoSize
      
      with for example renaming the "PasswordSet"
      
      $notifiedUsers | select UserName,Name,EmailAddress,@{Name = "PwdSet-MM/DD/YYYY"; Expression = {$_.PasswordSet}},DaysToExpire,ExpiresOn | sort DaystoExpire | FT -autoSize
      
      The script executed without problem, however it only updated the column number on-screen output, it hasn't rename the column header in the CSV file.
      
      Am I change wrong place or wrong method?
      
      Please kindly help.
      
    • The column header is set based on the object name.
      
      So $daysToExpire is set on line 182. '-name DaysToExpire'.
      
      PasswordSet is on line 181.
      
      But, by changing these values you need to make sure they are not set elsewhere using the original names.
      
      For example on line 191 where we reference $_.DaysToExpire this would need to match whatever you change the value on line 182 for.
    • Thank you Robert for your quick reply.
      
      So instead of changing existing object name, is it possible if I create duplicate of these object with a different '-name', so that I can specifically used in the report and log view?
      
      If so, where would I placed these 'names' for report and logs?
81 - 90 of 537 Items