Email Users If Their Active Directory Password is set to Expire Soon – The Lazy Administrator

Directory

User E-Mail Address

E-Mail Format

SMTP

Sending E-Mail

Logging

Credential

The Script

In this article I will show you how PowerShell can automatically send an e-mail notification to end users when their Active Directory password is set to expire soon. I looked over several other similar scripts on TechNet but ended up writing one from scratch to incorporate several features I needed, as well as improve on the overall script flow.

Some of the requirements I needed to meet were as follows:

Get users email addresses from the Email Address value in Active Directory, if it’s empty look at the default address in the proxyaddresses attribute

Send E-mail to users with passwords that were expiring in 7 days or less

Include directions users can follow to reset their Active Directory password

Send E-mail with high priority

Get E-mail notification if sent or failed

Store the credential in a Cred object so it’s secure

Advanced logging on the script for troubleshooting

Send E-mail from Office 365

Set up the script as a scheduled task

One of the key pieces I wanted was to check the users proxyaddresses attribute for a default e-mail address if the E-mail entry in the users Active Directory properties was empty. Many scripts I found online only looked at the E-mail value, so if there was nothing there it would just fail instead of looking at other places. In a lot of environments I have seen that not all users had the E-mail value filled out, but had their default e-mail address and aliases in the proxyaddresses attribute. For Office 365, if you sync your Active Directory this is where it will get the default e-mail address, and any other proxy addresses for Exchange. The script will find the default value by looking at what’s in the proxyaddresses attribute and looking for the value with a capital “SMTP”.

In my e-mail I wanted to first greet the user by their Name. This isn’t hard as all we have to do is pass something like their DisplayName value to a variable and add that to the body. Second, I wanted to send the e-mail with high importance, this will show a red exclamation mark next to the e-mail. The subject of the email would tell the user how many days until their password is expired and lastly, if the user wanted to reach to our IT team it would have our contact information followed by our signature.

An e-mail notification would be sent back to the sending address on any failure or any success. This would include the actual e-mail that was sent to the user in an attachment, and the subject of the e-mail. If you have a password portal, on-premise exchange or Office 365 password write-back you could also include a link in the e-mail where users can click and reset their passwords.

Since my mail server is Office 365 I want to send mail authenticated, and use SSL. The user I am using to authenticate against the SMTP server must also either be the sending user, or have Send-As rights on the sending user. When the script runs it will search for its credential object, if the credential object is not there it will prompt you for credentials (its best to run this manually first to input and have it store the credentials before setting it up as a scheduled task). As we see in the Get-Credential message it reminds you that this account must be the sender, or have proper permissions.

How to Set The Administrator Password Using VB.NET http://bit.ly/a3FAdq

— Dany Bailey Sat Aug 21 12:34:03 +0000 2010

Sending E-Mail

There are two ways you can go about sending mail with PowerShell. You can use the System.Net.Mail Namespace or use the Send-MailMessage cmdlet. If you want to set this up as a scheduled task I recommend using the System.Net.Mail Namespace (which I use in the script), as you will run into issues trying to use Send-MailMessage unattended.

In the scriptblock below I am calling the Namespace, setting the From, SMTP Host, SSL, Credentials, To, Subject, Delivery Notifications, Priority and Body.

$SmtpClient = new-object system.net.mail.smtpClient$MailMessage = New-Object system.net.mail.mailmessage#Who is the e-mail sent from$mailmessage.From = $FromEmail#SMTP server to send email$SmtpClient.Host = $SMTPHost#SMTP SSL$SMTPClient.EnableSsl = $true#SMTP credentials$SMTPClient.Credentials = $cred#Send e-mail to the users email$mailmessage.To.add("$emailaddress")#Email subject$mailmessage.Subject = "Your password will expire $daystoexpire days"#Notification email on delivery / failure$MailMessage.DeliveryNotificationOptions = ("onSuccess", "onFailure")#Send e-mail with high priority$MailMessage.Priority = "High"$mailmessage.Body = ...

Using Write-Host and Try/Catch blocks I can log every step of the script and any running errors. The log will be saved at the same $DirPath location which I set at C:\Automation\PasswordExpiry.In this folder it will store the log as well as the credential object. Here is my log file:

If you run the script manually the shell will also display its progress to you.

The script will store your Office 365 / authentication credentials by using the Export-CLIXML cmdlet. This allows us to store away the entire System.Management.Automation.PSCredential Object as an XML file. the

Export-CliXml

cmdlet encrypts credential objects using the Windows standard Data Protection API. It’s always best to store credentials of a user with no administrative roles in your Office 365 / Mail environment.

#VARs#SMTP Host$SMTPHost = "smtp.office365.com"#Who is the e-mail from$FromEmail = "

[email protected]

"#Password expiry days$expireindays = 7#Program File Path$DirPath = "C:\Automation\PasswordExpiry"$Date = Get-Date#Check if program dir is present$DirPathCheck = Test-Path -Path $DirPathIf (!($DirPathCheck)){Try{#If not present then create the dirNew-Item -ItemType Directory $DirPath -Force}Catch{$_ | Out-File ($DirPath + "\" + "Log.txt") -Append}}#CredObj path$CredObj = ($DirPath + "\" + "EmailExpiry.cred")#Check if CredObj is present$CredObjCheck = Test-Path -Path $CredObjIf (!($CredObjCheck)){"$Date - INFO: creating cred object" | Out-File ($DirPath + "\" + "Log.txt") -Append#If not present get office 365 cred to save and store$Credential = Get-Credential -Message "Please enter your Office 365 credential that you will use to send e-mail from $FromEmail. If you are not using the account $FromEmail make sure this account has 'Send As' rights on $FromEmail."#Export cred obj$Credential | Export-CliXml -Path $CredObj}Write-Host "Importing Cred object..." -ForegroundColor Yellow$Cred = (Import-CliXml -Path $CredObj)# Get Users From AD who are Enabled, Passwords Expire and are Not Currently Expired"$Date - INFO: Importing AD Module" | Out-File ($DirPath + "\" + "Log.txt") -AppendImport-Module ActiveDirectory"$Date - INFO: Getting users" | Out-File ($DirPath + "\" + "Log.txt") -Append$users = Get-Aduser -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress -filter { (Enabled -eq 'True') -and (PasswordNeverExpires -eq 'False') } | Where-Object { $_.PasswordExpired -eq $False }$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge# Process Each User for Password Expiryforeach ($user in $users){$Name = (Get-ADUser $user | ForEach-Object { $_.Name })Write-Host "Working on $Name..." -ForegroundColor WhiteWrite-Host "Getting e-mail address for $Name..." -ForegroundColor Yellow$emailaddress = $user.emailaddressIf (!($emailaddress)){Write-Host "$Name has no E-Mail address listed, looking at their proxyaddresses attribute..." -ForegroundColor RedTry{$emailaddress = (Get-ADUser $user -Properties proxyaddresses | Select-Object -ExpandProperty proxyaddresses | Where-Object { $_ -cmatch '^SMTP' }).Trim("SMTP:")}Catch{$_ | Out-File ($DirPath + "\" + "Log.txt") -Append}If (!($emailaddress)){Write-Host "$Name has no email addresses to send an e-mail to!" -ForegroundColor Red#Don't continue on as we can't email $Null, but if there is an e-mail found it will email that address"$Date - WARNING: No email found for $Name" | Out-File ($DirPath + "\" + "Log.txt") -Append}}#Get Password last set date$passwordSetDate = (Get-ADUser $user -properties * | ForEach-Object { $_.PasswordLastSet })#Check for Fine Grained Passwords$PasswordPol = (Get-ADUserResultantPasswordPolicy $user)if (($PasswordPol) -ne $null){$maxPasswordAge = ($PasswordPol).MaxPasswordAge}$expireson = $passwordsetdate + $maxPasswordAge$today = (get-date)#Gets the count on how many days until the password expires and stores it in the $daystoexpire var$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).DaysIf (($daystoexpire -ge "0") -and ($daystoexpire -lt $expireindays)){"$Date - INFO: Sending expiry notice email to $Name" | Out-File ($DirPath + "\" + "Log.txt") -AppendWrite-Host "Sending Password expiry email to $name" -ForegroundColor Yellow$SmtpClient = new-object system.net.mail.smtpClient$MailMessage = New-Object system.net.mail.mailmessage#Who is the e-mail sent from$mailmessage.From = $FromEmail#SMTP server to send email$SmtpClient.Host = $SMTPHost#SMTP SSL$SMTPClient.EnableSsl = $true#SMTP credentials$SMTPClient.Credentials = $cred#Send e-mail to the users email$mailmessage.To.add("$emailaddress")#Email subject$mailmessage.Subject = "Your password will expire $daystoexpire days"#Notification email on delivery / failure$MailMessage.DeliveryNotificationOptions = ("onSuccess", "onFailure")#Send e-mail with high priority$MailMessage.Priority = "High"$mailmessage.Body ="Dear $Name,Your Domain password will expire in $daystoexpire days. Please change it as soon as possible.To change your password, follow the method below:1. On your Windows computera.If you are not in the office, logon and connect to VPN. b.Log onto your computer as usual and make sure you are connected to the internet.c.Press Ctrl-Alt-Del and click on ""Change Password"".d.Fill in your old password and set a new password. See the password requirements below.e.Press OK to return to your desktop. The new password must meet the minimum requirements set forth in our corporate policies including:1.It must be at least 8 characters long.2.It must contain at least one character from 3 of the 4 following groups of characters:a. Uppercase letters (A-Z)b. Lowercase letters (a-z)c. Numbers (0-9)d. Symbols (

[email protected]

#$%^&*...)3.It cannot match any of your past 24 passwords.4.It cannot contain characters which match 3 or more consecutive characters of your username.5.You cannot change your password more often than once in a 24 hour period.If you have any questions please contact our Support team at

[email protected]

or call us at 555.555.5555Thanks,The Lazy Administrator

[email protected]

555.555.5555"Write-Host "Sending E-mail to $emailaddress..." -ForegroundColor GreenTry{$smtpclient.Send($mailmessage)}Catch{$_ | Out-File ($DirPath + "\" + "Log.txt") -Append}}Else{"$Date - INFO: Password for $Name not expiring for $daystoexpire days" | Out-File ($DirPath + "\" + "Log.txt") -AppendWrite-Host "Password for $Name does not expire for $daystoexpire days" -ForegroundColor White}}

Brad Wyatt

My name is Bradley Wyatt; I am a Microsoft Most Valuable Professional and I am currently a Manager DevOps Cloud Automation at

BDO Digital

in the Chicago area.