Powershell : Scan AD find users who's password are close to expiring and email them!
i was ask for this as an interim step for a customer who needs to save money!
hopefully at some point they will have the money to buy an identity management system etc.. but hey sometimes we have to solve these particular needs
here is the code none the less
##################################################################################################################
# Please Configure the following variables....
$smtpServer="smtpServerName"
$expireindays = 14
###################################################################################################################
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties * |where {$_.Enabled -eq "True"}
foreach ($user in $users)
{
if ($user.passwordexpired -eq "True")
{
write-host $user.displayname " Password Has Already Expired"
}
elseif ($user.passwordneverexpires -ne "True")
{
$passwordSetDate = $user.PasswordLastSet
$dfl = (get-addomain).DomainMode
if ($dfl -eq "Windows2008Domain")
{
$accountFGPP = Get-ADUserResultantPasswordPolicy $user
if ($accountFGPP -ne $null)
{
$maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
}
else
{
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}
}
else
{
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}
if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0)
{
Write-Host "MaxPasswordAge is not set for the domain or is set to zero!"
}
else
{
$today = get-date
$expireson = $passwordsetdate + $maxpasswordagetimespan
$daystoexpire = $expireson - $today
if ($daystoexpire -lt $expireindays)
{
$emailaddress = $null
$emailaddress = $user.emailaddress
if ($emailaddress -ne $null)
{
$subject="Your password will expire in $expireIn days"
$body="Your password will expire in $expireIn days"
Send-Mailmessage -smtpServer $smtpServer -from support@yourdomain.com -to $emailaddress -subject $subject -body $body -priority High
}
}
}
}
}
Comments
Anonymous
January 01, 2003
Hello and thanks for the scripts. I see a few things wrong that are not working. In the subject and body you use the variable $expireIn however that is not defines anywhere. Also the variable $daystoexpire returns days:hours:time: date. You less then statement only will work with whole numbers for example. 6 < 12. So to fix that I used this: $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expireson).TotalDays) instead of $daystoexpire = $expireson - $today Let me know if I missed something.Anonymous
January 01, 2003
thanks for sharing.Anonymous
January 01, 2003
are you running this from a domain controller or a machine which has RSAT installed?Anonymous
April 10, 2012
I'm having troubles with running this. Can you provide some more detail?Anonymous
July 04, 2012
Great script, thanks for contributing this.Anonymous
August 07, 2014
Slight correction....
$today = Get-Date
$expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$daystoexpire=[math]::round((New-TimeSpan -Start $($today) -End $expireson).TotalDays)Anonymous
August 07, 2014
Moderator....can you delete my previous post...please. I had to tweak the fields. Now it works.
$today = Get-Date
$expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$daystoexpire=[math]::round((New-TimeSpan $(get-date -month $($today).Month -day $($today).Day -year $($today).Year) $(get-date -month $($expireson).Month -day $($expireson).Day -year $($expireson).Year)).TotalDays)
Thanks to http://technet.microsoft.com/en-us/library/ee176916.aspx