Wish list:

I have some users with non expiring AD passwords or already expired AD passwords. These users still have access to email.
(The users with non-expiring passwords will be moved to expiring passwords after they have changed their password once.)

I'd like to send different emails to them for the two use cases to tell them what to do.

• User's password is set to non expiring and we want them to change their password anyway.
• User's password has already expired and is now 0 or a negative number

Please let me know your thoughts.

Thank you.

ex:

#TYPE System.Object
UserMessage UserName Name EmailAddress PasswordSet DaysToExpire ExpiresOn SendMail
Jane.Doe Jane Doe [email protected] 10/21/2015 4:09:25 PM -1549 4/18/2016 4:09:25 PM Skipped - Interval

Thanks for the great script!

Sorry If this is just me missing something obvious but I've noticed accounts that are used (in our case) for shared mailboxes and don't need to be logged into and therefore have probably expired are getting email notifications when I run this script.

I've attached a photo that shows their password dates, If I go into the AD user and set it to do not expire they disappear from the list but I've already configured a PSO that doesn't have any password age set that these users are part of so I thought this would get ignored by the script.

Am I missing something obvious here?

Ideally, I'd like to pull the email message portion of the script out and have it in a separate file. This would allow my management and coworkers to revise/modify the email message content and look more easily, without risking accidentally fouling up the script itself. Please let me know your thoughts on this.

Thank you.

I installed the script after testing, it works great when I run it manually from the powershell window myself. I'm using all the same parameters from my manual tests in the scheduled task properties. However, when I run it manually the script works as desired and users are notified via email according to the threshold I specify. From a scheduled task, the script runs, log file is created but the action for EVERYONE is "skipped" as if its not considering them in the threshold to be notified. And yet there are plenty of users who validly need to be notified. I have logs going back several days that all show the same thing, no email, only ever skipped. I cannot seem to figure out what is going on. The parameters I'm using to execute the script are:

powershell.exe-ExecutionPolicy Unrestricted -File "D:\Scripts\AD\PWEXP\PasswordChangeNotification.ps1" -smtpServer send.smtp.com -expireInDays 21 -from "IT Helpdesk [email protected]" -reportTo [email protected] -Logging -LogPath "D:\Scripts\AD\PWEXP\log" -interval 1,2,5,10,15

If I run this manually, as I mentioned everything works great, users get notified. But from the scheduled task, all I ever see in the logs are "skipped - interval" actions for every user in the list.

Hi everyone,
I'm using quite older version 1.4 of this script, where inside is variable $password so my password for email account is visible for everyone. Is any way to hide / code this variable?

thanks

Hi, I have a problem with the interval control.
On the local pc it works when instead I run it as a schedulated activity on a server the control fails and does not send any notification.
I tried to change the control but without success, what could it be?
This is the function I added for the range control:

function IsInWarningIntervals([int] $daysToExpire)
{
foreach( $item in $interval )
{
if ( $daysToExpire -eq $item -or $daysToExpire -eq [int]$item -or $daysToExpire.Equals($item) -or [System.String]::Equals($daysToExpire.ToString(), $item.ToString()) )
{
return $True
}
}
return $False
}


Thanks for your help

Hi @titlerequired , I'm one among many who utilize your wonderful effort. Here i come with my next requirement. :)

I have tried to use multiple recipients in -reportto like below, but it just sending report to first recipient only.

powershell.exe -command "C:\test\Script\PasswordChangeNotification\PasswordChangeNotification.ps1 -smtpServer smtp.org.com -expireInDays 21 -from 'IT [email protected]' -Logging -LogPath "c:\test\logFiles" -testing -testRecipient [email protected] -interval 14,7,1 -reportto [email protected]; [email protected];[email protected]"

Subject pretty much covers it, I would like to have a limit (can be a command line option or hard coded) of e-mails that are sent out while testing the script. 15 is the number my mind has settled on.

I don’t know much about powershell settings
Can you give me an example

#> param( # $smtpServer Enter Your SMTP Server Hostname or IP Address [Parameter(Mandatory=$True,Position=0)] [ValidateNotNull()] [string]$smtpServer, # Notify Users if Expiry Less than X Days [Parameter(Mandatory=$True,Position=1)] [ValidateNotNull()] [int]$expireInDays, # From Address, eg "IT Support <[email protected]>" [Parameter(Mandatory=$True,Position=2)] [ValidateNotNull()] [string]$from, [Parameter(Position=3)] [switch]$logging, # Log File Path [Parameter(Position=4)] [string]$logPath, # Testing Enabled [Parameter(Position=5)] [switch]$testing, # Test Recipient, eg [email protected] [Parameter(Position=6)] [string]$testRecipient, # Output more detailed status to console [Parameter(Position=7)] [switch]$status, # Log file recipient [Parameter(Position=8)] [string]$reportto, # Notification Interval [Parameter(Position=9)] [array]$interval )

I get an error message after I execute it

While I can certainly add links to the outgoing email. Is it possible to add attachments, such as a PDF document? (Some users have difficulty following links, authenticating to a site, and view the instructions on the site. So, an attached PDF may be best.)

Please let me know your thoughts.

thx.

Love this script. One question: can we have the email subtract a day from how many days are really left before the password expires? If the password expires in 6 days, I'd like the email to say 5 days. Users seem to like waiting until there is 1 day left, and we've had issues where their password had already expired. They get the email at 9am saying there is one days left...they wait until the afternoon...and by then the password has expired.

I hate to asking so much, but I must have something wrong with my implementation when using a group to define the evaluated users. The data in the report and the email actions taken are not accurate. I'm not sure why. However, my knowledge of Powershell is quite limited.

I have attached the script that I have customized to use with a group:
PasswordChangeNotification.ps1.txt

I have also attached the CSV report. (w/ names changed)
2020-7-16-PasswordLog.xlsx

Notice that the "DaysToExpire" and "ExipiresOnDate" are exactly the same for a number of users. That is not accurate. (like the data is bleeding over to more than one user in array.)

The only user that the data seems to be accurate for is the 1st one. (However the hour is off by 1 hour)

Please review and advise.

Thank you very much.

Per your group instructions, I use a group to define what users will be evaluated in the script (see below).

However, the group name ("PasswordChangeNotification" in this example) is hardcoded into the script.
Are you aware of a good way to pull the group name out as a variable and include it as part of the command line?

Command Line Example .BAT

@echo Off
powershell.exe -ExecutionPolicy Bypass -Command ".\PasswordChangeNotification.ps1 -smtpServer 1234domain.com -expireInDays 21 -from [email protected] -Logging -LogPath c:\Scripts\PasswordChangeNotification -reportTo [email protected] -interval 1,2,3,4,5,6,7,10,15"

Groups example

#Create Array to Store Users
$users = @()

#Create Array to Store Groups
#Additional groups can be added with a "," and another line.
$groups = @(
"PasswordChangeNotification"
)

Query Each Group Members

foreach ($group in $groups)
{
$members = Get-ADGroupMember $group
foreach ($member in $members)
{
$user = Get-ADUser $member -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress
$users += $user
}
}

$users | Select SamAccountName

When I run the script from PowerShell it works perfect and sends emails only to just those users that meet the -interval value I specify. When I run the same command with the same attributes and values in a Scheduled task however, it runs without errors and creates a log file and does email this, but does not send any emails for those that meet the -interval value and shows "Skipped - Interval" for all users in the log file.

In my scheduled task, running Powershell.exe the arguments I am using are:
-file "C:\xxx\xxx\PasswordChangeNotification.ps1" -smtpServer [email protected] -expireInDays 14 -from "Helpdesk [email protected]" -Logging -LogPath "C:\xxx\xxx\LogFiles" -reportTo [email protected] -interval 1,2,3,7,14

(private info has been replaced with "xxx")

Is it possible to have a CC of the notification email also sent to the person assigned as "manager"?

That way if the person ignores the warning messages and ends up not being able to work one day because they can't log in anymore, their manager will have known that they were getting the warning messages.

I looked at doing this myself but the manager attribute uses a DN and not sure how to extract the email address from that.

(By the way the script works great. It is very helpful) This may be outside of the scope of this script, but are you aware of a way to specify that the emails send via specific port number and/or via TLS or SSL? Ideally, since I use an external email provider (Google), I want to avoid sending the emails outside of our local network unencrypted. Please let me know your thoughts. Thank you.

WARNING: The command 'Send-MailMessage' is obsolete. This cmdlet does not guarantee secure connections to SMTP servers. While there is no immediate replacement available in PowerShell, we recommend you do not use Send-MailMessage at this time. See https://aka.ms/SendMailMessage for more information.
The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Client was not authenticated

I have tried modifying the send-mailmessage line as follows but still get the error.
Send-Mailmessage -smtpServer $smtpServer -Credential (Get-Credential) -UseSsl -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High -Encoding

Hi @titlerequired,

I have been trying to add information in $body of the mail about Password Expiration Date/Time, But i end up in different errors. I have tried using(Highlighted parameter and Variable),

$users=get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, msDS-UserPasswordExpiryTimeComputed, EmailAddress |
Select-Object -Property Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},EmailAddress | where { $_.passwordexpired -eq $false }

and

Write-Output "Process User Objects"
foreach ($user in $users)
{
# Store User information

$Name = $user.Name
$emailaddress = $user.emailaddress
$passwordSetDate = $user.PasswordLastSet
$samAccountName = $user.SamAccountName
$pwdLastSet = $user.PasswordLastSet

--> $passwordExpiryDate=$user.ExpiryDate

But getting this error.

thank you for your scripts.
I have the question about UserMessage over > 1 day with ExpireOn
UserMessage = 31 days
ExpireOn = 30
It sent email to users with warning more 1 than actual ExpireOn .
How can make it same with ExpireOn value.
thank you again.

Hi,

we are running the script for years and everything was fine so far. Suddenly around the 25 of October (daylight saving change), users get expiration mails, although its not expiring. The logging says:

Mail delivered on: Sent: Sunday, October 25, 2020 7:25 AM

Script is running with: -expireInDays 21

_"user","user1 display","[email protected]","10/15/2020 6:56:58 AM","-10","10/15/2020 6:56:58 AM","OK"

Password last set 10/15/2020 5:56:58 AM
Password expires 1/13/2021 5:56:58 AM
Password changeable 10/15/2020 5:56:58 AM_

Any advice would be welcome,
Thanks