none
Email notification on password Expiry ion AD

    Question

  • Hey All

     I wrote a script (probably since Im fresh with powershell its dirty scripting :(  ) to email users when their password is about to expire.

    Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {
    
       $PasswordSetDate=$_.PasswordLastSet
       $maxPasswordAgeTimeSpan = $null
       $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge 
       
    
       $today=get-date
       $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
       
       $daysleft=$ExpiryDate-$today
       
    
    
    
       $display=$daysleft.days
       $UserName=$_.GivenName
    
    
    $MyVariable = @"
    "  Dear $UserName
      
     Your password will expire in $display days.If you are not going to change it you will not be able to connect to Irdeto corporate network.
    
    If you are in Irdeto West HQ building follow the steps below to change your password:
    - Press CTRL+ALT+DEL
    - On the screen that came choose "Change password"
    - Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)
    - After the change is complete you will be prompted with information that passwor has been changed
    
    If you are using VPN:
    - Connect your laptop to internet
    - On the logon screen to windows connect to CISCO VPN prior to login 
    - When you will receive successfull connection information login
    - At this moment you will be prompted to change your password
    
    
    
    
    With kind Regards
    IT Department
    
    
    
    *** This is automatically generated email - please do not reply ***
    
    
    "
    "@
    
    
    send-mailmessage -to $_.EmailAddress -from NoReply@domain.test -Subject "IT Information: Your password will expire in $display days" -body $MyVariable  -smtpserver msg001
    
    
    
    
    
    
    
     
    
    
    }
    
    
    So basically what it does - it queries domain for users and their selected attributes and then perform action to check when exactly the password will expire.
    The thing which I do not know how to put in here would be how to send email only to users which password will expire 7 days or less (greater than 0 of course cause lesss would mean already expired)
    If I would use IF would that be sufficient ?

    MCSA / MCTS
    Wednesday, April 07, 2010 8:23 AM

Answers

  • If should work fine, eg:

    Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {

       $PasswordSetDate=$_.PasswordLastSet
       $maxPasswordAgeTimeSpan = $null
       $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
      

       $today=get-date
       $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
      
       $daysleft=$ExpiryDate-$today
      

     

       $display=$daysleft.days
       $UserName=$_.GivenName

    if ($display -lt 7 -and $display -gt 0){


    $MyVariable = @"
    "  Dear $UserName
     
     Your password will expire in $display days.If you are not going to change it you will not be able to connect to Irdeto corporate network.

    If you are in Irdeto West HQ building follow the steps below to change your password:
    - Press CTRL+ALT+DEL
    - On the screen that came choose "Change password"
    - Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)
    - After the change is complete you will be prompted with information that passwor has been changed

    If you are using VPN:
    - Connect your laptop to internet
    - On the logon screen to windows connect to CISCO VPN prior to login
    - When you will receive successfull connection information login
    - At this moment you will be prompted to change your password

     


    With kind Regards
    IT Department

     

    *** This is automatically generated email - please do not reply ***


    "
    "@

     

    send-mailmessage -to $_.EmailAddress -from NoReply@domain.test -Subject "IT Information: Your password will expire in $display days" -body $MyVariable  -smtpserver msg001

    }

    }

    • Marked as answer by Rpieniazek Wednesday, April 07, 2010 1:13 PM
    Wednesday, April 07, 2010 1:03 PM

All replies

  • If should work fine, eg:

    Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {

       $PasswordSetDate=$_.PasswordLastSet
       $maxPasswordAgeTimeSpan = $null
       $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
      

       $today=get-date
       $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
      
       $daysleft=$ExpiryDate-$today
      

     

       $display=$daysleft.days
       $UserName=$_.GivenName

    if ($display -lt 7 -and $display -gt 0){


    $MyVariable = @"
    "  Dear $UserName
     
     Your password will expire in $display days.If you are not going to change it you will not be able to connect to Irdeto corporate network.

    If you are in Irdeto West HQ building follow the steps below to change your password:
    - Press CTRL+ALT+DEL
    - On the screen that came choose "Change password"
    - Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)
    - After the change is complete you will be prompted with information that passwor has been changed

    If you are using VPN:
    - Connect your laptop to internet
    - On the logon screen to windows connect to CISCO VPN prior to login
    - When you will receive successfull connection information login
    - At this moment you will be prompted to change your password

     


    With kind Regards
    IT Department

     

    *** This is automatically generated email - please do not reply ***


    "
    "@

     

    send-mailmessage -to $_.EmailAddress -from NoReply@domain.test -Subject "IT Information: Your password will expire in $display days" -body $MyVariable  -smtpserver msg001

    }

    }

    • Marked as answer by Rpieniazek Wednesday, April 07, 2010 1:13 PM
    Wednesday, April 07, 2010 1:03 PM
  • Thursday, April 08, 2010 4:04 AM
    Moderator
  • what should i save this script as and where i do i put the script file ?
    Thursday, May 13, 2010 7:46 PM
  • Save it as a .ps1 file.  Put it whereever you want.  To run from .bat, use

    powershell -file <full path to script file>


    $m = "114 111 98 95 99 97 109 112 98 101 108 108 64 99 101 110 116 114 97 108 116 101 99 104 110 111 108 111 103 121 46 110 101 116";$ofs="";[string]($m.Split() |% {[char][int]$_})
    Friday, May 14, 2010 3:29 PM
  • i logged just to say thanks for sharing your script :)
    Wednesday, March 27, 2013 8:15 AM
  • You could run that script as a daily scheduled task. But note that some users would then get multiple notifications.

    Also, if there are zero days left, that might not mean the password had already expired, just that it will expire in less than 24 hours. Or 12 - I am not exactly sure how the days property is rounded. If you change this line:

        if ($display -lt 7 -and $display -gt 0){

    to this:

        if ($display -lt 7 -and $display -gt -1){

    It might give some users a last chance to set their password. At the worst, they would find one additional warning message in their mailbox when they request a new password.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Wednesday, March 27, 2013 3:06 PM
  • How would I implement this script?  I know nothing of scripting, but need something like this on my network.  I see you can call it from a BAT file, but where do you locate the script so that computer can read it?  Any help would be GREATLY appreciated.

    Thanks.


    • Edited by rudnicke Thursday, March 20, 2014 1:17 PM Expand Question
    Thursday, March 20, 2014 1:14 PM
  • Hi,

    How would I implement this script?  I know nothing of scripting, but need something like this on my network.  I see you can call it from a BAT file, but where do you locate the script so that computer can read it?  Any help would be GREATLY appreciated.

    Thanks.

    See this post for instructions:

    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/23fc5ffb-7cff-4c09-bf3e-2f94e2061f29/email-notification-on-password-expiry-ion-ad?forum=winserverpowershell#d1a90b9c-9f72-4ed1-bbbf-ecb4c42c1b84


    Don't retire TechNet! - (Don't give up yet - 12,700+ strong and growing)

    Thursday, March 20, 2014 1:47 PM
    Moderator