none
powershell envoie de mail après expiration de mot de passe RRS feed

  • Question

  • bonjour je cherchais à avoir un envoie de mailà l'aproche de l'expiration de mon mot de passe a tout les utilisateur de mon domaine.

    donc j'ai trouver ce script mais j'ai un prombème il ne sellectionne personne car il ne recupère pas PasswordLastSet.

    voici la commande qui ma monté la non recupération de l'age du mot de passe:

    Get-ADUser -SearchBase "OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, whenChanged


    DistinguishedName : CN=test,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : test
    Name              : test
    ObjectClass       : user
    ObjectGUID        : ab2e1b31-d2cc-4c45-a32a-2c58ec07e6bc
    PasswordLastSet   :
    SamAccountName    : test
    SID               : S-1-5-21-1941111256-1187126318-1563503735-5514
    Surname           :
    UserPrincipalName : test@PEI_GPAO.local

    DistinguishedName : CN=test2,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : test2
    Name              : test2
    ObjectClass       : user
    ObjectGUID        : a55e44b7-a45d-4c6e-8b31-50a1ab897636
    PasswordLastSet   :
    SamAccountName    : test2
    SID               : S-1-5-21-1941111256-1187126318-1563503735-5518
    Surname           :
    UserPrincipalName : test2@PEI_GPAO.local

    DistinguishedName : CN=Test AD,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : Test
    Name              : Test AD
    ObjectClass       : user
    ObjectGUID        : 2bbd4bb7-0e1f-4095-895a-697de5c76b7f
    PasswordLastSet   :
    SamAccountName    : TESTAD
    SID               : S-1-5-21-1941111256-1187126318-1563503735-3160
    Surname           : AD
    UserPrincipalName : TESTAD@PEI_GPAO.local

    voici mon script :

    <#
    .Synopsis
       Script to Automated Email Reminders when Users Passwords due to Expire.
    .DESCRIPTION
       Script to Automated Email Reminders when Users Passwords due to Expire.
       Robert Pearman / WindowsServerEssentials.com
       Version 2.9 August 2018
       Requires: Windows PowerShell Module for Active Directory
       For assistance and ideas, visit the TechNet Gallery Q&A Page. http://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27/view/Discussions#content

       Alternativley visit my youtube channel, https://www.youtube.com/robtitlerequired

       Videos are available to cover most questions, some videos are based on the earlier version which used static variables, however most of the code
       can still be applied to this version, for example for targeting groups, or email design.

       Please take a look at the existing Q&A as many questions are simply repeating earlier ones, with the same answers!


    .EXAMPLE
      PasswordChangeNotification.ps1 -smtpServer mail.domain.com -expireInDays 21 -from "IT Support <support@domain.com>" -Logging -LogPath "c:\logFiles" -testing -testRecipient support@domain.com

      This example will use mail.domain.com as an smtp server, notify users whose password expires in less than 21 days, send mail from support@domain.com
      Logging is enabled, log path is c:\logfiles
      Testing is enabled, and test recipient is support@domain.com

    .EXAMPLE
      PasswordChangeNotification.ps1 -smtpServer mail.domain.com -expireInDays 21 -from "IT Support <support@domain.com>" -reportTo myaddress@domain.com -interval 1,2,5,10,15

      This example will use mail.domain.com as an smtp server, notify users whose password expires in less than 21 days, send mail from support@domain.com
      Report is enabled, reports sent to myaddress@domain.com
      Interval is used, and emails will be sent to people whose password expires in less than 21 days if the script is run, with 15, 10, 5, 2 or 1 days remaining untill password expires.

    #>
    param(
        # $smtpServer Enter Your SMTP Server Hostname or IP Address
        #[Parameter(Mandatory=$True,Position=0)]
        #[ValidateNotNull()]
        #[string]$smtpServer = "PEI-EXCH2013.PEI_GPAO.local",
        $smtpServer = "PEI-EXCH2013.PEI_GPAO.local",
        # Notify Users if Expiry Less than X Days
        #[Parameter(Mandatory=$True,Position=1)]
        #[ValidateNotNull()]
        #[int]$expireInDays = "20",
        $expireInDays = "20",
        # From Address, eg "IT Support <support@domain.com>"
        #[Parameter(Mandatory=$True,Position=2)]
        #[ValidateNotNull()]
        #[string]$from,
        #[Parameter(Position=3)]
        $from = "support-it-pei@pinetteemidecau.com",
        #[switch]$logging,
        # Log File Path
        #[Parameter(Position=4)]
        #[string]$logPath,
        $logPath = "c:\LOG_password_expiration\",
         # Testing Enabled
        [Parameter(Position=5)]
        [switch]$testing,
        # Test Recipient, eg recipient@domain.com
        [Parameter(Position=6)]
        [string]$testRecipient,
        # Output more detailed status to console
        [Parameter(Position=7)]
        [switch]$status,
        # Log file recipient
        [Parameter(Position=8)]
        [string]$reportto
         # Notification Interval
        #[Parameter(Position=9)]
        #[array]$interval
        #$interval = "1,2,5,10"
    )
    ###################################################################################################################
    # Time / Date Info
    $start = [datetime]::Now
    $midnight = $start.Date.AddDays(1)
    $timeToMidnight = New-TimeSpan -Start $start -end $midnight.Date
    $midnight2 = $start.Date.AddDays(2)
    $timeToMidnight2 = New-TimeSpan -Start $start -end $midnight2.Date
    # System Settings
    $textEncoding = [System.Text.Encoding]::UTF8
    $today = $start
    # End System Settings

    # Load AD Module
    try{
        Import-Module ActiveDirectory -ErrorAction Stop
    }
    catch{
        Write-Warning "Unable to load Active Directory PowerShell Module"
    }
    # Set Output Formatting - Padding characters
    $padVal = "20"
    Write-Output "Script Loaded"
    Write-Output "*** Settings Summary ***"
    $smtpServerLabel = "SMTP Server".PadRight($padVal," ")
    $expireInDaysLabel = "Expire in Days".PadRight($padVal," ")
    $fromLabel = "From".PadRight($padVal," ")
    $testLabel = "Testing".PadRight($padVal," ")
    $testRecipientLabel = "Test Recipient".PadRight($padVal," ")
    $logLabel = "Logging".PadRight($padVal," ")
    $logPathLabel = "Log Path".PadRight($padVal," ")
    $reportToLabel = "Report Recipient".PadRight($padVal," ")
    $interValLabel = "Intervals".PadRight($padval," ")
    # Testing Values
    if($testing)
    {
        if(($testRecipient) -eq $null)
        {
            Write-Output "No Test Recipient Specified"
            Exit
        }
    }
    # Logging Values
    if($logging)
    {
        if(($logPath) -eq $null)
        {
            $logPath = $PSScriptRoot
        }
    }
    # Output Summary Information
    Write-Output "$smtpServerLabel : $smtpServer"
    Write-Output "$expireInDaysLabel : $expireInDays"
    Write-Output "$fromLabel : $from"
    Write-Output "$logLabel : $logging"
    Write-Output "$logPathLabel : $logPath"
    Write-Output "$testLabel : $testing"
    Write-Output "$testRecipientLabel : $testRecipient"
    Write-Output "$reportToLabel : $reportto"
    Write-Output "$interValLabel : $interval"
    Write-Output "*".PadRight(25,"*")
    # Get Users From AD who are Enabled, Passwords Expire and are Not Currently Expired
    # To target a specific OU - use the -searchBase Parameter -https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser
    # You can target specific group members using Get-AdGroupMember, explained here https://www.youtube.com/watch?v=4CX9qMcECVQ
    # based on earlier version but method still works here.
    $users = get-aduser -Searchbase "OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
    # Count Users
    $usersCount = ($users | Measure-Object).Count
    Write-Output "Found $usersCount User Objects"
    # Collect Domain Password Policy Information
    $defaultMaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days
    Write-Output "Domain Default Password Age: $defaultMaxPasswordAge"
    # Collect Users
    $colUsers = @()
    # Process Each User for Password Expiry
    Write-Output "Process User Objects"
    foreach ($user in $users)
    {
        # Store User information
        $Name = $user.Name
        $emailaddress = $user.emailaddress
        $passwordSetDate = $user.PasswordLastSet
        $samAccountName = $user.SamAccountName
        $pwdLastSet = $user.PasswordLastSet
        # Check for Fine Grained Password
        $maxPasswordAge = $defaultMaxPasswordAge
        $PasswordPol = (Get-AduserResultantPasswordPolicy $user)
        if (($PasswordPol) -ne $null)
        {
            $maxPasswordAge = ($PasswordPol).MaxPasswordAge.Days
        }
        # Create User Object
        $userObj = New-Object System.Object
        $expireson = $pwdLastSet.AddDays($maxPasswordAge)
        $daysToExpire = New-TimeSpan -Start $today -End $Expireson
        # Round Expiry Date Up or Down
        if(($daysToExpire.Days -eq "0") -and ($daysToExpire.TotalHours -le $timeToMidnight.TotalHours))
        {
            $userObj | Add-Member -Type NoteProperty -Name UserMessage -Value "aujourd'hui"
        }
        if(($daysToExpire.Days -eq "0") -and ($daysToExpire.TotalHours -gt $timeToMidnight.TotalHours) -or ($daysToExpire.Days -eq "1") -and ($daysToExpire.TotalHours -le $timeToMidnight2.TotalHours))
        {
            $userObj | Add-Member -Type NoteProperty -Name UserMessage -Value "demain"
        }
        if(($daysToExpire.Days -ge "1") -and ($daysToExpire.TotalHours -gt $timeToMidnight2.TotalHours))
        {
            $days = $daysToExpire.TotalDays
            $days = [math]::Round($days)
            $userObj | Add-Member -Type NoteProperty -Name UserMessage -Value "dans $days jours."
        }
        $daysToExpire = [math]::Round($daysToExpire.TotalDays)
        $userObj | Add-Member -Type NoteProperty -Name UserName -Value $samAccountName
        $userObj | Add-Member -Type NoteProperty -Name Name -Value $Name
        $userObj | Add-Member -Type NoteProperty -Name EmailAddress -Value $emailAddress
        $userObj | Add-Member -Type NoteProperty -Name PasswordSet -Value $pwdLastSet
        $userObj | Add-Member -Type NoteProperty -Name DaysToExpire -Value $daysToExpire
        $userObj | Add-Member -Type NoteProperty -Name ExpiresOn -Value $expiresOn
        # Add userObj to colusers array
        $colUsers += $userObj
    }
    # Count Users
    $colUsersCount = ($colUsers | Measure-Object).Count
    Write-Output "$colusersCount Users processed"
    # Select Users to Notify
    $notifyUsers = $colUsers | where { $_.DaysToExpire -le $expireInDays}
    $notifiedUsers = @()
    $notifyCount = ($notifyUsers | Measure-Object).Count
    Write-Output "$notifyCount Users with expiring passwords within $expireInDays Days"
    # Process notifyusers
    foreach ($user in $notifyUsers)
    {
        # Email Address
        $samAccountName = $user.UserName
        $emailAddress = $user.EmailAddress
        # Set Greeting Message
        $name = $user.Name
        $messageDays = $user.UserMessage
        # Subject Setting
        $subject="Votre mot de passe expire $messageDays"
        # Email Body Set Here, Note You can use HTML, including Images.
        # examples here https://youtu.be/iwvQ5tPqgW0
        $body ="
        <font face=""calibri"">
        Bonjour $name,
        <p> Votre mot de passe expire $messageDays<br>
        Pour changer votre mot de passe sur un PC, appuyez sur CTRL ALT Supprimer et choisissez Modifier le mot de passe. <br>
        <p> Si vous utilisez un MAC ou vous trouvez hors de PEI, vous pouvez changer votre mot de passe via le Web Mail. <br>
        Connectez-vous sur le <a href=""https://owa.pinetteemidecau.com/owa""> Web Mail </a>, puis cliquez sur Paramètres (roue crantée), puis sur Modifier le mot de passe.
        <p> N'oubliez pas de mettre à jour le mot de passe sur vos appareils mobiles également!
        <p>Merci, <br>
        </P>
        Service Informatique PEI
        <a href=""mailto:support-it-pei@pinetteemidecau.com"">support-it-pei@pinetteemidecau.com </a> | 03 85 47 43 19
        </font>"
        # If Testing Is Enabled - Email Administrator
        if($testing)
        {
            $emailaddress = $testRecipient
        } # End Testing
        # If a user has no email address listed
        if(($emailaddress) -eq $null)
        {
            $emailaddress = $testRecipient   
        }# End No Valid Email
        $samLabel = $samAccountName.PadRight($padVal," ")
        try{
            # If using interval paramter - follow this section
            if($interval)
            {
                $daysToExpire = [int]$user.DaysToExpire
                # check interval array for expiry days
                if(($interval) -Contains($daysToExpire))
                {
                    # if using status - output information to console
                    if($status)
                    {
                        Write-Output "Sending Email : $samLabel : $emailAddress"
                    }
                    # Send message - if you need to use SMTP authentication watch this video https://youtu.be/_-JHzG_LNvw
                    Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High -Encoding $textEncoding -ErrorAction Stop
                    $user | Add-Member -MemberType NoteProperty -Name SendMail -Value "OK"
                }
                else
                {
                    # if using status - output information to console
                    # No Message sent
                    if($status)
                    {
                        Write-Output "Sending Email : $samLabel : $emailAddress : Skipped - Interval"
                    }
                    $user | Add-Member -MemberType NoteProperty -Name SendMail -Value "Skipped - Interval"
                }
            }
            else
            {
                # if not using interval paramter - follow this section
                # if using status - output information to console
                if($status)
                {
                    Write-Output "Sending Email : $samLabel : $emailAddress"
                }
                Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High -Encoding $textEncoding -ErrorAction Stop
                $user | Add-Member -MemberType NoteProperty -Name SendMail -Value "OK"
            }
        }
        catch{
            # error section
            $errorMessage = $_.exception.Message
            # if using status - output information to console
            if($status)
            {
               $errorMessage
            }
            $user | Add-Member -MemberType NoteProperty -Name SendMail -Value $errorMessage   
        }
        $notifiedUsers += $user
    }
    if($logging)
    {
        # Create Log File
        Write-Output "Creating Log File"
        $day = $today.Day
        $month = $today.Month
        $year = $today.Year
        $date = "$day-$month-$year"
        $logFileName = "$date-PasswordLog.csv"
        if(($logPath.EndsWith("\")))
        {
           $logPath = $logPath -Replace ".$"
        }
        $logFile = $logPath, $logFileName -join "\"
        Write-Output "Log Output: $logfile"
        $notifiedUsers | Export-CSV $logFile
        if($reportTo)
        {
            $reportSubject = "Password Expiry Report"
            $reportBody = "Password Expiry Report Attached"
            try{
                Send-Mailmessage -smtpServer $smtpServer -from $from -to $reportTo -subject $reportSubject -body $reportbody -bodyasHTML -priority High -Encoding $textEncoding -Attachments $logFile -ErrorAction Stop
            }
            catch{
                $errorMessage = $_.Exception.Message
                Write-Output $errorMessage
            }
        }
    }
    $notifiedUsers | select UserName,Name,EmailAddress,PasswordSet,DaysToExpire,ExpiresOn | sort DaystoExpire | FT -autoSize

    $stop = [datetime]::Now
    $runTime = New-TimeSpan $start $stop
    Write-Output "Script Runtime: $runtime"
    # End

       
     

    mardi 15 octobre 2019 11:48

Toutes les réponses

  • Bonjour,

    C'est étrange, car cette commande doit récupérer cette propriété sans problème. Je viens d'essayer la commande sur mon AD et cela m'a bien tout retourné :

    Get-ADUser -searchbase "OU=monou,OU=masousou,DC=domain,DC=local" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, whenChanged

    DistinguishedName    : CN=Jean DUPOND,OU=monou,OU=masousou,DC=domain,DC=local
    Enabled              : True
    GivenName            : Jean
    Name                 : Jean DUPOND
    ObjectClass          : user
    ObjectGUID           : 24fe44a3-4346-479f-ae94-c3f6ac146b9a
    PasswordExpired      : True
    PasswordLastSet      : 16/07/2018 09:21:29
    PasswordNeverExpires : False
    SamAccountName       : jean.dupond
    SID                  : S-1-5-21-709480893-3072019242-105007429-57210
    Surname              : DUPOND
    UserPrincipalName    : jean.dupond@domain.com
    whenChanged          : 05/03/2019 15:10:18

    Avez-vous bien lancé votre environnement PowerShell avec les droits administrateur (UAC) ?


    Cordialement,

    Sylvain (MCP, MCTS Windows Server 2008 R2 Server Virtualization, MCTS Exchange 2010)

    WWW : http://snsv.consulting | Blog : http://sylvaincoudeville.fr

    "Aléatoire" et "Mystérieux" sont des qualificatifs inventés par l'Homme pour éviter de dire qu'il n'a pas trouvé la root cause du problème...



    mardi 15 octobre 2019 12:07
  • mardi 15 octobre 2019 12:10
  • ok merci
    mardi 15 octobre 2019 12:42
  • sylevain courdeville

    je l'ai lancé sur mon server directement donc oui je croit bien.

    je récupère seulement ça :

    Get-ADUser -searchbase "OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local" -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, whenChanged
    
    
    DistinguishedName : CN=test,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : test
    Name              : test
    ObjectClass       : user
    ObjectGUID        : ab2e1b31-d2cc-4c45-a32a-2c58ec07e6bc
    PasswordLastSet   : 
    SamAccountName    : test
    SID               : S-1-5-21-1941111256-1187126318-1563503735-5514
    Surname           : 
    UserPrincipalName : test@PEI_GPAO.local
    
    DistinguishedName : CN=test2,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : test2
    Name              : test2
    ObjectClass       : user
    ObjectGUID        : a55e44b7-a45d-4c6e-8b31-50a1ab897636
    PasswordLastSet   : 
    SamAccountName    : test2
    SID               : S-1-5-21-1941111256-1187126318-1563503735-5518
    Surname           : 
    UserPrincipalName : test2@PEI_GPAO.local
    
    DistinguishedName : CN=Test AD,OU=TEST RESTRICTIONS DIVERSE,DC=PEI_GPAO,DC=local
    GivenName         : Test
    Name              : Test AD
    ObjectClass       : user
    ObjectGUID        : 2bbd4bb7-0e1f-4095-895a-697de5c76b7f
    PasswordLastSet   : 
    SamAccountName    : TESTAD
    SID               : S-1-5-21-1941111256-1187126318-1563503735-3160
    Surname           : AD
    UserPrincipalName : TESTAD@PEI_GPAO.local


    mardi 15 octobre 2019 14:20
  • Bonjour,

    dans le thread anglais, il dit :

    il faut regarder ici :

    et si l'info y est, c'est que c'est le powershell qui n'est pas run en tant qu'admin.

    ou que la valeur n'a pas encore été établie.

    Olivier.




    mardi 15 octobre 2019 19:26
  • Bonjour,

    Comme l'a proposé Olivier, vérifiez que la valeur est bien existante via dsa.msc ou adsi.

    Sinon, cela signifie que l'UAC est activée et qu'il faut lancer Powershell via un clic droit + Exécuter en tant qu'administrateur.


    Cordialement,

    Sylvain (MCP, MCTS Windows Server 2008 R2 Server Virtualization, MCTS Exchange 2010)

    WWW : http://snsv.consulting | Blog : http://sylvaincoudeville.fr

    "Aléatoire" et "Mystérieux" sont des qualificatifs inventés par l'Homme pour éviter de dire qu'il n'a pas trouvé la root cause du problème...

    mercredi 16 octobre 2019 06:08