The script below will provide you with an email message that tells you how many days until your password expires. You can configure this to run how ever many days in advance that you want by changing the numbers in the "if statements". You will want to configure the number in parenthesis in the $passexpirationdate variable per your domain password policy. If you don't know your max password age you can easily view it by running the following commands in powershell:
Import-Module ActiveDirectory
Get-ADDefaultDomainPasswordPolicy
Set it up as a scheduled task to run daily and it will continue to email your users until they change their password. Here's the script with comments on what each portion does. Save it as password_exp_notice.ps1:
##############################################################################################
# Password Expiration Notification
#
# This script is designed to notify users via email of an upcoming password change.
# This script requires your forest and domain functional level to be 2008 R2.
# You must have active directory client tools installed to run this or run it from a DC.
#
# Source: ps1scripting.blogspot.com
#
#
##############################################################################################
#Loads the active directory module to enable AD cmdlets
import-module activedirectory
#Queries all accounts in AD domain and stores them in username variable
$username = get-aduser -filter * | select -ExpandProperty samaccountname
#Foreach loop is run against each account stored in the username variable
foreach($user in $username){
#gets current date and stores in now variable
$now = get-date
#gets date of when password was last set for a user
$passlastset = get-aduser $user -properties passwordlastset | select -ExpandProperty passwordlastset
#calculates password expirationdate by adding 60 days to the password last set date
$passexpirationdate = $passlastset.adddays(60)
#calculates the number of days until a user's password will expire
$daystilexpire = $passexpirationdate - $now | select -ExpandProperty days
#if statement to select only accounts with expiration greater than 0 days
if($daystilexpire -gt "0"){
#if statment to further filter accounts from above if statement. This selects accounts with less than 5 days until expiration.
if($daystilexpire -le "5"){
#generates email to user using .net smtpclient to notify them of how many days until their password expires.
$emailFrom = "emailaddress@yourdomain.com"
$emailTo = "$user@yourdomain.com"
$subject = "Password Expiration Notice"
$body = "Your password will expire in $daystilexpire days. Please change your password soon to avoid being locked out of your account."
$smtpServer = "Enter IP address of your SMTP Server Here"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
}
}
}
There it is. A quick easy script that is sure to save you several calls about account expirations. Feel free to leave comments, questions, or ideas for improvement. Thanks for reading.
Disclaimer: All scripts and other powershell references on this blog are offered "as is" with no warranty. While these scripts are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.
I think When the password last set is null the script fails with obj null error.
ReplyDeleteAlso Display Name or Name variable would be good for using in the mail body.
Good catch! I will try to get something added to this in the near future to handle the error.
ReplyDeleteMay i suggest the following line to get an accurate read on how many days until password expiration? instead of manually determining the expiration date.
ReplyDelete$DaysTilExpire = (([datetime]::FromFileTime((Get-ADUser -Identity $user -Properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed"))-(Get-Date)).Days
That way the script is much shorter and more accurate
Also instead of using the $user@yourdomain.com you could query each user to get the listed email adres for all your users and use the email adres which is actually in Active directory.
ReplyDelete#Query ADUser to get the E-Mail Adres
$emailadres = Get-ADUser $user -Properties mail
$email = $emailadres.mail
then just use the $email in:
$emailTo = "$email"
This comment has been removed by the author.
ReplyDeleteVery informative article, it provides good information about active directory user password expiration notification. I tested this AD self service tool i.e., ( https://www.netwrix.com/password_manager.html) that helps to send automatic password expiration notification email within given time line and allow users to reset their passwords without any help of Admin or help-desk .
ReplyDeleteI really liked your Information. Keep up the good work. Curso oficial de Especialista en BSD - Exam 702
ReplyDelete