This is a brief modification to the Password Expiry Notification Script, which seems to be pretty popular.
Amnon Hoppe contacted me from the blog, and passed on a few extra scripts with some other ideas. He has collaborated and adjusted two scripts, to quote him “one to email only the admin/service desk with a list of all users that are about to expire and the other is to do that AND also email the end users in question to warn them to verify/take action to prevent lockout.”
I’ll add them here to share. I haven’t tested these, but have gone over them to make sure nothing malicious is going on.
Thanks Amnon!
These scripts are a bit more complex, but they’re good examples of what you can do, as well as a different approach from what I took, for a very similar purpose (Those are for account expiry, while mine was for password expiry)
I thought about adjusting the scripts, but after spending some time on it, I thought I’d leave them as is, but take the idea of displaying the users affected, then apply that to my own script. This is similar to the original, but it’s purpose is to just list the users who’s passwords expire in X days or less. This might be handy over a holiday for example, to know who’s going to have their password expire and then contact them to help. You should easily be able to combine the old and new scripts if you want to generate an email with this information on yourself.
Password Expiry List (rename to .ps1)
Here’s the script, which if you compare to the original is very similar. Instead of generating an email, we’re creating a list of users that have the password expiry due on X days or less (represented by the -le comparison operator, rather than -eq, a list is here). The list is then echo’d out to the console.
#################################################
# Please Configure the following variables….
# expireindays1 = How many days maximum the password has to expire (e.g. 7 will be up to 7 days)
$expireindays1 = 7
#################################################
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -Properties enabled, passwordneverexpires, passwordexpired, emailaddress, passwordlastset |where {$_.Enabled -eq “True”} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
$ListOfNames = @()
foreach ($user in $users)
{
$Name = (Get-ADUser $user | foreach { $_.Name})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties passwordlastset | foreach { $_.PasswordLastSet })
$PasswordPol = (Get-AduserResultantPasswordPolicy $user)
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}
else
{
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
if ($daystoexpire -le $expireindays1)
{
$ListOfNames += $Name
}
}
echo $listofnames
Just to be completely clear, the “Accounts2Expire2EndUsers” and “Accounts2Expire2Admin” scripts are about “user accounts about to expire”, not their password, Adam covered that one already extensively.
Basically it is to prevent the embarrassment of having a user at the service desk that is no longer able to logon due to his account being expired, where it should have been extended or maybe put on indefinite.
Thanks for the clarification Amnon, I’ll adjust the post slightly.