Udostępnij za pośrednictwem


Powershell : Scan AD find users who's password are close to expiring and email them!

i was ask for this as an interim step for a customer who needs to save money!

hopefully at some point they will have the money to buy an identity management system etc.. but hey sometimes we have to solve these particular needs

here is the code none the less

##################################################################################################################
# Please Configure the following variables....
$smtpServer="smtpServerName"
$expireindays = 14
###################################################################################################################

#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties * |where {$_.Enabled -eq "True"}

foreach ($user in $users)
{

 if ($user.passwordexpired -eq "True")
 {
  write-host $user.displayname " Password Has Already Expired"
 
 }
 elseif ($user.passwordneverexpires -ne "True")
 {
  
  $passwordSetDate = $user.PasswordLastSet
  $dfl = (get-addomain).DomainMode

  if ($dfl -eq "Windows2008Domain")
  {
   $accountFGPP = Get-ADUserResultantPasswordPolicy $user 
   

         if ($accountFGPP -ne $null)
   {
             $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
            }
   else
   {
                $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
            }
      }
      else
      {
              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
         }

    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0)
  {
            Write-Host  "MaxPasswordAge is not set for the domain or is set to zero!"
        }
  else
  {
       
   $today = get-date
   $expireson = $passwordsetdate + $maxpasswordagetimespan
   $daystoexpire = $expireson - $today
  
   if ($daystoexpire -lt $expireindays)
   {
     $emailaddress = $null
     $emailaddress = $user.emailaddress
    
     if ($emailaddress -ne $null)
     {
    
      $subject="Your password will expire in $expireIn days"
       $body="Your password will expire in $expireIn days"
       Send-Mailmessage -smtpServer $smtpServer -from support@yourdomain.com -to $emailaddress -subject $subject -body $body -priority High
     }
    
   }
   
  }

 }
}

Comments

  • Anonymous
    January 01, 2003
    Hello and thanks for the scripts. I see a few things wrong that are not working. In the subject and body you use the variable $expireIn however that is not defines anywhere. Also the variable $daystoexpire returns days:hours:time: date. You less then statement only will work with whole numbers for example. 6 < 12. So to fix that I used this: $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expireson).TotalDays) instead of $daystoexpire = $expireson - $today Let me know if I missed something.

  • Anonymous
    January 01, 2003
    thanks for sharing.

  • Anonymous
    January 01, 2003
    are you running this from a domain controller or a machine which has RSAT installed?

  • Anonymous
    April 10, 2012
    I'm having troubles with running this.  Can you provide some more detail?

  • Anonymous
    July 04, 2012
    Great script, thanks for contributing this.

  • Anonymous
    August 07, 2014
    Slight correction....

    $today = Get-Date
    $expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    $daystoexpire=[math]::round((New-TimeSpan -Start $($today) -End $expireson).TotalDays)

  • Anonymous
    August 07, 2014
    Moderator....can you delete my previous post...please. I had to tweak the fields. Now it works.

    $today = Get-Date
    $expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    $daystoexpire=[math]::round((New-TimeSpan $(get-date -month $($today).Month -day $($today).Day -year $($today).Year) $(get-date -month $($expireson).Month -day $($expireson).Day -year $($expireson).Year)).TotalDays)

    Thanks to http://technet.microsoft.com/en-us/library/ee176916.aspx