Monday, July 16, 2012

Active Directory: User Password Expiration Notice

Active directory password expiration notifications that are built in can be easy to missed by users.  They occasionally show up as a bubble in the notification area on your desktop which are easily overlooked.  They also show up in Outlook web access as a little gold bar that blends in too well with its surroundings and is also often overlooked. 

The script below will provide you with an email message that tells you how many days until  your password expires.  You can configure this to run how ever many days in advance that you want by changing the numbers in the "if statements".  You will want to configure the number in parenthesis in the $passexpirationdate variable per your domain password policy.  If you don't know your max password age you can easily view it by running the following commands in powershell:

Import-Module ActiveDirectory
  
Get-ADDefaultDomainPasswordPolicy  

Set it up as a scheduled task to run daily and it will continue to email your users until they change their password.  Here's the script with comments on what each portion does.  Save it as password_exp_notice.ps1:


 ##############################################################################################
  
 #           Password Expiration Notification 
 # 
 # This script is designed to notify users via email of an upcoming password change. 
 # This script requires your forest and domain functional level to be 2008 R2. 
 # You must have active directory client tools installed to run this or run it from a DC.
 #
 # Source: ps1scripting.blogspot.com
 # 
 #
##############################################################################################
  
 
  
 #Loads the active directory module to enable AD cmdlets 
 import-module activedirectory
  
 
 #Queries all accounts in AD domain and stores them in username variable 
 $username = get-aduser -filter * | select -ExpandProperty samaccountname
  

 #Foreach loop is run against each account stored in the username variable 
 foreach($user in $username){
  
   #gets current date and stores in now variable
   $now = get-date
  
   #gets date of when password was last set for a user
   $passlastset = get-aduser $user -properties passwordlastset | select -ExpandProperty passwordlastset
  
 
  
   #calculates password expirationdate by adding 60 days to the password last set date
   $passexpirationdate = $passlastset.adddays(60)
  
 
  
   #calculates the number of days until a user's password will expire
   $daystilexpire = $passexpirationdate - $now | select -ExpandProperty days
  
 
  
     #if statement to select only accounts with expiration greater than 0 days
     if($daystilexpire -gt "0"){
  
  
       #if statment to further filter accounts from above if statement. This selects accounts with less than 5 days until expiration.
       if($daystilexpire -le "5"){
  
 
  
         #generates email to user using .net smtpclient to notify them of how many days until their password expires.
         $emailFrom = "emailaddress@yourdomain.com"
         $emailTo = "$user@yourdomain.com"
         $subject = "Password Expiration Notice"
         $body = "Your password will expire in $daystilexpire days. Please change your password soon to avoid being locked out of your account."
         $smtpServer = "Enter IP address of your SMTP Server Here"
         $smtp = new-object Net.Mail.SmtpClient($smtpServer)
         $smtp.Send($emailFrom, $emailTo, $subject, $body)
  
  
       }
      }
   }
  
   


There it is.  A quick easy script that is sure to save you several calls about account expirations.  Feel free to leave comments, questions, or ideas for improvement.  Thanks for reading.

Disclaimer: All scripts and other powershell references on this blog are offered "as is" with no warranty.  While these scripts are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.

7 comments:

  1. I think When the password last set is null the script fails with obj null error.
    Also Display Name or Name variable would be good for using in the mail body.

    ReplyDelete
  2. Good catch! I will try to get something added to this in the near future to handle the error.

    ReplyDelete
  3. May i suggest the following line to get an accurate read on how many days until password expiration? instead of manually determining the expiration date.

    $DaysTilExpire = (([datetime]::FromFileTime((Get-ADUser -Identity $user -Properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed"))-(Get-Date)).Days

    That way the script is much shorter and more accurate

    ReplyDelete
  4. Also instead of using the $user@yourdomain.com you could query each user to get the listed email adres for all your users and use the email adres which is actually in Active directory.

    #Query ADUser to get the E-Mail Adres
    $emailadres = Get-ADUser $user -Properties mail
    $email = $emailadres.mail

    then just use the $email in:
    $emailTo = "$email"

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Very informative article, it provides good information about active directory user password expiration notification. I tested this AD self service tool i.e., ( https://www.netwrix.com/password_manager.html) that helps to send automatic password expiration notification email within given time line and allow users to reset their passwords without any help of Admin or help-desk .

    ReplyDelete