Password

Password Expiry Notification Script

Going back to basics can often be a good solution to a problem. Emailing users letting them know that their password will expire soon is usually the most broad way of letting everyone know. If they are using ActiveSync only to get their emails, they won’t be notified when their password expires until it stops working.

With that in mind, I set out to find a simple script that runs daily, to let people know when their password is due to expire.

There’s a lot out there, but I wanted to use PowerShell and set it as a daily scheduled task.

Technet had a great one here from Johan Dahlbom. Except it didn’t work for me, as I recieved the error when testing:

get-aduser : One or more properties are invalid.

After some research, I found this blog post which had my exact issue. It seems that PowerShell v4 which comes with Windows 8.1 and Windows Server 2012 R2 doesn’t like the wildcard for -properties when running a get-aduser command, such as :

get-aduser -filter * -properties *

Richard Siddaway’s solution was to pipe it out and use get-object instead, but that doesn’t give all the same results as the original.

Instead I chose to specify the actual fields needed which turned the command into:

get-aduser -filter * -properties enabled, passwordneverexpires

That worked perfectly. So after adjusting a few parts of the script, I had it working.

I then decided that I didn’t want a daily email going out saying ‘You have 7 days” then “You have 6 days” etc, but just 2 variables – 7 days and 1 day.

So, here is the script (downloadable here: Password Change Notification)

#################################################
# Please Configure the following variables….
# expireindays1 + 2 = At what count of days left on a password do you want a notification?
$smtpServer=”smtp.yourmailserver.com”
$expireindays1 = 7
$expireindays2 = 1
$from = “Name <[email protected]>”
#################################################

#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -Properties enabled, passwordneverexpires, passwordexpired, emailaddress, passwordlastset |where {$_.Enabled -eq “True”} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }

foreach ($user in $users)
{
$Name = (Get-ADUser $user | foreach { $_.Name})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties passwordlastset | foreach { $_.PasswordLastSet })
$PasswordPol = (Get-AduserResultantPasswordPolicy $user)
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}

else
{
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}

$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject=”Your password will expire in $daystoExpire days”
$body =”
Dear $name,
<p> Your password will expire in $daystoexpire day(s).<br>
To change your password, do these things<br>
For remote password changes, sign in to this address and change it there’ <br>
<p>Thanks, <br>
IT
</P>”

if (($daystoexpire -eq $expireindays1) -or ($daystoexpire -eq $expireindays2))
{
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High

}

}