Thursday 28 August 2014

PowerShell Script for Password Expiration Notification


If you have users in your Active Directory network in large numbers who logon in their AD account rarely then it might be possible that they face password expiration problem for their accounts. On the other hand there might be some users who do not pay required attention on the pop-up messages that appear on their Windows screen to remind about password expiration. Thus results, increase in number of help desk phone calls, emails and tickets for resetting password. 

Most of the IT administrators do not much pleasure while resetting passwords as this task involves lot of time and efforts of IT staff.

What is the best way to minimize the possibility of password expiration? The answer is, send an automatic email notification to users whose password is expiring soon.

Now, the question is…..how we can do this. This is can be achieve either by using Power Shell script or by using any automated password expiration notification software.
I found a PowerShell script on web to send password expiry notification on http://www.itouthouse.com/2012/06/active-directory-password-expiration.html blog. This script does well for sending notification to users whose password is expiring in 14, 7, 3, 1 and 0 days. 


Import-Module ActiveDirectory

$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"

(Get-ADUser -filter {(mail -like "*@domain.com") -and (Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet |
foreach-object {

    $lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
    $expires=$lastset.AddDays($maxdays).ToShortDateString()
    $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
    $samname=$_.samaccountname
    $firstname=$_.GivenName
    if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
    #if ($daystoexpire -le 14) {
        $ThereAreExpiring=$true
        
         # CONFIG: Enter from email address.
        $emailFrom = "helpdesk@domain.com"
        # CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
        $emailTo = "$samname@domain.com"
        if ($daystoexpire -eq 0) {
        # CONFIG: Enter text for subject and body of email notification for zero days remaining.
            $subject = "$firstname, your password has expried!"
            $body = "$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.

Contact support at extension XXXX for assistance."
        }
        Else {
        # CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining. 
            $subject = "$firstname, your password expires in $daystoexpire day(s)!"
            $body = "$firstname,
Your password expires in $daystoexpire day(s).

If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.

If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.
"
        }
        # CONFIG: Enter your smtp server here.
        $smtpServer = "email.domain.com"
        $smtp = new-object Net.Mail.SmtpClient($smtpServer)
        $smtp.Send($emailFrom, $emailTo, $subject, $body)   
       
        $summarybody += "$samname `t $expires `t $daystoexpire `n"
    }
    elseif ($daystoexpire -lt 0) {
        $ThereAreExpiring=$true
        # Add a note to the report email, but don't notify user.
        $summarybody += "$samname `t $expires `t $daystoexpire `n"
    }
}
if ($ThereAreExpiring) {
    # CONFIG: From address for report to Helpdesk/IT Admin staff.
    $emailFrom = "helpdesk@domain.com"
    # CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
    $emailTo = "helpdesk@domain.com"
    # CONFIG: Subject for report email.
    $subject = "Expiring passwords"
    $body = $summarybody
    # CONFIG: SMTP Server.
    $smtpServer = "email.domain.com"
    $smtp = new-object Net.Mail.SmtpClient($smtpServer)
    $smtp.Send($emailFrom, $emailTo, $subject, $body)

Friday 2 May 2014

How to get password expiration notification before expiration date

Password expiration issues are more important than what they might appear at the first glance. IT Helpdesk, in a medium to large size organization, end up getting tens of password resetting requests from end users due to expired passwords every day. These issues not only lead to wastage of time at users end but also for IT Helpdesk staff. Windows has its way of reminding users about their soon-to-expire password when they do interactive logon.