Script(s) for password policies
I have a fairly rigid set of rules to play by here and they can't be altered, which sucks of course. We cannot set accounts to expire or lock them out.
What I need to script:
(1)Query AD for users whose passwords are 365 days old against the pwdlastset attribute. I also need to be able to exclude accounts that are set to never expire
(2)Email a report of the number/list
(3)Email users in stages that their password is going to expire
(4)When the day arrives I need to scramble their password
I can generally do these separately fine enough but i would highly appreciate a powershell guru who could whip something up to help with this. I can stumble through this but there is a bit of a time crunch on this.
Any help would greatly help.
What I need to script:
(1)Query AD for users whose passwords are 365 days old against the pwdlastset attribute. I also need to be able to exclude accounts that are set to never expire
(2)Email a report of the number/list
(3)Email users in stages that their password is going to expire
(4)When the day arrives I need to scramble their password
I can generally do these separately fine enough but i would highly appreciate a powershell guru who could whip something up to help with this. I can stumble through this but there is a bit of a time crunch on this.
Any help would greatly help.
Following code will help you to send the list in email.
How to Setup a Password Expiration Notification Email Solution
Ref: https://blogs.technet.microsoft.com/askpfeplat/2015/05/04/how-to-setup-a-password-expiration-notification-email-solution/
Since you dont have password expiry set, you might need to change line (I have not tested this)
$File = "C:\Script\Report.csv"
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties Displayname,pwdlastset |
Select-Object -Property Displayname,@{Name="pwdlastset";E={[datetime]::FromFileTime($_.pwdlastset)}} |
?{$_.pwdlastset -le ((Get-Date).Adddays(-365))} | Export-Csv $File -nti
$mail = @{
From = "Admin@domain.com"
To = "Admin@domain.com"
Attachments = $File
SmtpServer = "mail.domain.com"
Subject = "Password Expiry List"
}
Send-MailMessage @mail
How to Setup a Password Expiration Notification Email Solution
Ref: https://blogs.technet.microsoft.com/askpfeplat/2015/05/04/how-to-setup-a-password-expiration-notification-email-solution/
Since you dont have password expiry set, you might need to change line (I have not tested this)
$expireson = $passwordsetdate + $maxPasswordAge
To
$expireson = $passwordsetdate + 365
or
$expireson = $passwordsetdate + (New-TimeSpan -Days 365)
Set-ADAccountPassword –Identity UserA -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" –Force)
Premium Content
You need an Expert Office subscription to comment.Start Free Trial