Solved

Script to email AD users of upcoming password expiration

Posted on 2013-10-22
13
1,721 Views
Last Modified: 2013-10-29
Hello,
In AD we have a password expiration policy set for 14 day notification however users don't always get this on the domain and we have some users on the Cisco VPN.  I'd like to know if anyone has a reliable script they are using that would email users of upcoming password expiration they'd be willing to share.
Thanks!
0
Comment
Question by:bergquistcompany
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39591489
Try this:

Add-PSSnapin Quest.ActiveRoles.ADManagement

$ExpiringPasswords = Get-QADUser -SearchRoot "OU=Faculty,DC=Test,DC=local" -PasswordNotChangedFor 85 | Where PasswordNeverExpires -eq $False | Select-Object email -Unique

$emailFrom = 
$subject = "Password will Expire Soon"
$smtpServer = 

Foreach ($ExpiringPassword in $ExpiringPasswords) {

$emailto = $ExpiringPassword.Email
$body = "From the Glynn County I.T. Department: <br /><br /> You are receiving this email because your password expires within 5 days. While on site, press CTRL + ALT + DELETE to change your password. Your password must be 10 characters long and can contain special characters/spaces. It cannot be a previous password. <br /><br /> If you have any problems changing your password, please see your media specialist or technician. You will never be asked for your password by the Glynn County I.T. Department. If you receive an email requesting your password, please contact your media specialist or technician."

Send-MailMessage -to $emailto -from $emailFrom -Subject $subject -Body $body -BodyAsHtml -SmtpServer $smtpServer
}

Open in new window

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39591498
It uses the quest AD powershell cmdlets. You will also need to specify the search root in line 3, and set line 5,7

I left our email body (line 12) in there for you to use as a template. We also let our users reset their password through a (free) self service tool:

http://deployhappiness.com/reset-user-passwords-with-ad-self-service-portal/
0
 

Author Comment

by:bergquistcompany
ID: 39591989
Thank you this looks awesome I will give it a test.
Are you running this as a scheduled task on the domain controller or how often are you running?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39594946
0
 

Author Comment

by:bergquistcompany
ID: 39598050
@jmoody10 - If I have a test OU I want to run it against before production does this look right:
"OU=testou,DC=northamerica,DC=bergquistcompany,DC=com"
I also set the following as noted:
$emailFrom = "securityadmin@bergquistcompany.com"
$subject = "Password will Expire Soon"
$smtpServer = "mail.bergquistcompany.com"
and I appreciate the body to use as a template.  To confirm how often do you run it and do you have it as a .ps1 that you are running through scheduled tasks?  Does it look like C:\powershell.exe -password.ps1

@Sandeshdubey - to confirm I only need to set these between the "#" to establish the variable is that correct:
$smtpServer="wilma.northamerica.bergquistcompany.com"
$from = "bergquistadministrator@bergquistcompany.com"
$expireindays = 14
Then is this also being run from a task?  I'm on 2012 and to start a program/script would I enter Powershell as the program and the .ps1 as an argument or just the .ps1 as the script?
0
 

Author Comment

by:bergquistcompany
ID: 39601025
@jmoody10
Where-Object : Cannot bind parameter 'FilterScript'. Cannot convert the "Passwo
rdNeverExpires" value of type "System.String" to type "System.Management.Automa
tion.ScriptBlock".
At line:1 char:128
+ $ExpiringPasswords = Get-QADUser -SearchRoot "OU=testou,DC=bqasia,DC=bergquis
tcompany,DC=com" -PasswordNotChangedFor 76 | Where <<<<  PasswordNeverExpires -
eq $False | Select-Object email -Unique
    + CategoryInfo          : InvalidArgument: (:) [Where-Object], ParameterBi
   ndingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
   ell.Commands.WhereObjectCommand
0
 

Author Comment

by:bergquistcompany
ID: 39601032
@ Sandeshdubey

I have downloaded the first script set
$smtpServer="wilma.northamerica.bergquistcompany.com"
$from = "kristinebollinger@bergquistcompany.com"
$expireindays = 14

and run it from powershell .\password change notification.ps1 and it runs fine but no email ever comes through.  Are you using this?  I've tried 2012 and 2008
0
 

Author Comment

by:bergquistcompany
ID: 39605874
So I ran the attached with the updates to smtp server, from and expire in days but 2 things happen

1. email says password will expire in days (missing #) and error:

Send-MailMessage : Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argument that i
s not null or empty and then try the command again.
At C:\Users\naadmin\desktop\password.ps1:31 char:61
+     Send-Mailmessage -smtpServer $smtpServer -from $from -to <<<<  $emailaddress -subject $subject -body $body -bodya
sHTML -priority High
    + CategoryInfo          : InvalidData: (:) [Send-MailMessage], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.SendMailMessage
password.txt
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39607307
There are lots of these types of scripts out there, they assume you have the email AD attributes filled in properly:
http://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27
http://gallery.technet.microsoft.com/scriptcenter/Email-Active-Directory-452a5640
http://ss64.com/ps/syntax-expiry.html
-rich
0
 

Author Comment

by:bergquistcompany
ID: 39607422
The first one looks right on but getting errors:


1. Get-ADDefaultDomainPasswordPolicy : Cannot find an object with identity: 'Microsoft.ActiveDirectory.Management.AD
 tDomainPasswordPolicy' under: 'DC=eu,DC=bergquistcompany,DC=com'.
 At C:\Users\naadmin\desktop\test.ps1:17 char:55
 +   $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy <<<< ).MaxPasswordAge
     + CategoryInfo          : ObjectNotFound: (Microsoft.Activ...nPasswordPolicy:ADDefaultDomainPasswordPolicy) [
    DDefaultDomainPasswordPolicy], ADIdentityNotFoundException
     + FullyQualifiedErrorId : Cannot find an object with identity: 'Microsoft.ActiveDirectory.Management.ADDefaul
    inPasswordPolicy' under: 'DC=eu,DC=bergquistcompany,DC=com'.,Microsoft.ActiveDirectory.Management.Commands.Get
   faultDomainPasswordPolicy
 

2.Cannot convert argument "1", with value: "", for "op_Addition" to type "System.TimeSpan": "Cannot convert null to
 "System.TimeSpan"."
 At C:\Users\naadmin\desktop\test.ps1:18 char:34
 +   $expireson = $passwordsetdate + <<<<  $maxPasswordAge
     + CategoryInfo          : NotSpecified: (:) [], MethodException
     + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
 
3. New-TimeSpan : Cannot bind parameter 'End' to the target. Exception setting "End": "Object reference not set to a
 ance of an object."
 At C:\Users\naadmin\desktop\test.ps1:20 char:51
 +   $daystoexpire = (New-TimeSpan -Start $today -End <<<<  $Expireson).Days
     + CategoryInfo          : WriteError: (:) [New-TimeSpan], ParameterBindingException
     + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.NewTimeSpanCommand
 
4. Send-MailMessage : Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argumen
 s not null or empty and then try the command again.
 At C:\Users\naadmin\desktop\test.ps1:31 char:61
 +     Send-Mailmessage -smtpServer $smtpServer -from $from -to <<<<  $emailaddress -subject $subject -body $bod
 sHTML -priority High
     + CategoryInfo          : InvalidData: (:) [Send-MailMessage], ParameterBindingValidationException
     + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.SendMailMessage
 
5. Subject says "Your password will expire in   days!" but there is no number of days
 

Any help would be appreciated!
 
As the other 2 produce similar
0
 

Author Closing Comment

by:bergquistcompany
ID: 39610383
got me pointed in the right direction didn't quite work though
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question