Parallel Universe - MS Tech Blog

The ramblings of a PFE

Powershell : Scan AD find users who's password are close to expiring and email them!

Powershell : Scan AD find users who's password are close to expiring and email them!

  • Comments 7
  • Likes

i was ask for this as an interim step for a customer who needs to save money!

hopefully at some point they will have the money to buy an identity management system etc.. but hey sometimes we have to solve these particular needs

here is the code none the less

##################################################################################################################
# Please Configure the following variables....
$smtpServer="smtpServerName"
$expireindays = 14
###################################################################################################################

#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties * |where {$_.Enabled -eq "True"}

foreach ($user in $users)
{

 if ($user.passwordexpired -eq "True")
 {
  write-host $user.displayname " Password Has Already Expired"
 
 }
 elseif ($user.passwordneverexpires -ne "True")
 {
  
  $passwordSetDate = $user.PasswordLastSet
  $dfl = (get-addomain).DomainMode

  if ($dfl -eq "Windows2008Domain")
  {
   $accountFGPP = Get-ADUserResultantPasswordPolicy $user 
   

         if ($accountFGPP -ne $null)
   {
             $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
            }
   else
   {
                $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
            }
      }
      else
      {
              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
         }

    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0)
  {
            Write-Host  "MaxPasswordAge is not set for the domain or is set to zero!"
        }
  else
  {
       
   $today = get-date
   $expireson = $passwordsetdate + $maxpasswordagetimespan
   $daystoexpire = $expireson - $today
  
   if ($daystoexpire -lt $expireindays)
   {
     $emailaddress = $null
     $emailaddress = $user.emailaddress
    
     if ($emailaddress -ne $null)
     {
    
      $subject="Your password will expire in $expireIn days"
       $body="Your password will expire in $expireIn days"
       Send-Mailmessage -smtpServer $smtpServer -from support@yourdomain.com -to $emailaddress -subject $subject -body $body -priority High
     }
    
   }
   
  }

 }
}

 

 

 

Comments
  • I'm having troubles with running this.  Can you provide some more detail?

  • are you running this from a domain controller or a machine which has RSAT installed?

  • Great script, thanks for contributing this.

  • Hello and thanks for the scripts. I see a few things wrong that are not working. In the subject and body you use the variable $expireIn however that is not defines anywhere. Also the variable $daystoexpire returns days:hours:time: date. You less then statement only will work with whole numbers for example. 6 < 12. So to fix that I used this: $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expireson).TotalDays) instead of $daystoexpire = $expireson - $today

    Let me know if I missed something.

  • Slight correction....

    $today = Get-Date
    $expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    $daystoexpire=[math]::round((New-TimeSpan -Start $($today) -End $expireson).TotalDays)

  • Moderator....can you delete my previous post...please. I had to tweak the fields. Now it works.

    $today = Get-Date
    $expireson = (get-aduser -identity $user -properties *).passwordlastset + (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    $daystoexpire=[math]::round((New-TimeSpan $(get-date -month $($today).Month -day $($today).Day -year $($today).Year) $(get-date -month $($expireson).Month -day $($expireson).Day -year $($expireson).Year)).TotalDays)

    Thanks to http://technet.microsoft.com/en-us/library/ee176916.aspx

  • thanks for sharing.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment