Active Directory Password Expiration Email Notifier - Powershell Script

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they were not connected to the domain.  This can become a real problem for Administrators when they are wasting valuable time resetting passwords.  Let me first tell you, I'm not a developer so I'm sure there are better/other ways to do this but hopefully this will help some of you get started.

Below is a script to email active directory users that their password is going to expire in X days.  It will also send an password expiration report  to the Administrator which includes the name of each user whose password is expiring and when their password will expire.  I have this script setup as a scheduled task to run daily on my server.

Here's some instruction to get this to work:
1.   Install Quest cmdlets and add snapin to powershell.
2.  Modify to the Administrators email that should be contacted
3.  Change 192.168.x.x to the address of your SMTP server
4.  Set $DaysToExpire =  X ( X=10 will email all users whose passwords expire within the next 10 days)
5.  Modify the script/body of the email to fit your environment (You could modify the body of the message to include instructions on changing the password and the password requirements)
6.  Setup a scheduled task to run the script daily.

Anyone using this script is expected to know of the consequences of using this improperly.  I offer no warranty and expect that you will use this script at your own risk.

Please feel free to ask any questions and I will do my best to assist.
$ReqVersion = [version]"" 
                      $QadVersion = (Get-PSSnapin Quest.ActiveRoles.ADManagement).Version 
                      if($QadVersion -lt $ReqVersion) 
                          throw "Quest AD cmdlets version '$ReqVersion' is required. Please download the latest version" 
                      function sendmail($attachment) 
                      $SmtpClient = New-Object 
                      $MailMessage = New-Object 
                      $SmtpClient.Host = “192.168.x.x” 
                      $mailmessage.from = “" 
                      $mailmessage.Subject = $subject 
                      $MailMessage.IsBodyHtml = 1 
                      $mailmessage.Body = $body
                      $MaximumPassAge = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days 
                      if($MaximumPassAge -le 0) 
                         throw "MaximumPasswordAge password policy is not configured." 
                      #Sets when to start emailing users about password expiration
                      $DaysToExpire = 10
                      Get-QADUser -Enabled -PasswordNeverExpires:$false -SizeLimit 0 -Email * | 
                      Select-Object Name,Email,FirstName,@{Name="Expires";Expression={ $MaximumPassAge - $_.PasswordAge.days }} | 
                      Where-Object {$_.Expires -gt 0 -AND $_.Expires -le $DaysToExpire } | Foreach-Object { 
                      #Emails admin instead of user(testing purposes)
                      #$mailTo = ""
                      #Emails user
                      $mailTo = $_.Email
                      #Lists each user whose password is expires and when
                      $NetAdminReport += "$($_.Name)" + " (Password expires in " + "$($_.Expires)" + " days)
                       #Body of Net Admin Report
                       $ReportBody="A Password Expiration Notice has been sent to the following users:
                      #Subject of Password Expiration Email to User
                      $Subject = "Password reminder: $($_.Name) your email password will expire in $($_.Expires) days"
                      $body = "<p style = ""font-size: 11pt; font-family: Calibri""> Hello $($_.FirstName), <br /> <br /> Your current domain  password will expire in <b>$($_.Expires) days.</b></p>"
                      sendmail $Allservers
                      #Send Admin Report
                      if($NetAdminReport -ne $null)
                       Send-MailMessage -SmtpServer 192.168.x.x -From -To -Subject  "Password Expiration Report" -Body  $ReportBody

Open in new window


Comments (3)

Thank you - at my company we have a lot of issues with remote users/external consultants, that has this problem. I will test on monday :)
Suliman Abu KharroubIT Consultant


Vote yes
Shreedhar EtteTechnical Manager
Top Expert 2010

Hello Jake,

Does this script have any operating system requirements?

Do you ever used this in production environment?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.