Active Directory Password Expiration Email Notification

This is a PowerShell script that will send an email notification to Active Directory users when their password will expire in 14, 7, 3, 1, and Zero days. Administrators/helpdesk also get a daily report of passwords that are expired and the users who got an email reminder, a great heads up for your helpdesk.

The script generates a different message when there are zero days remaining (password is expired and must be changed today) and won’t continue to notify users when there are less than zero days remaining. Negitive dedlines are used for some account options such as the passwords must be changed at next logon account flag, and you don’t want to fill up a user’s mailbox when they can’t access their mail before changing their password anyway.

To setup the script, search for the “# CONFIG:” strings and edit the following line as documented, then set it up on a server as a daily scheduled task.

Active Directory Password Expiration Email Notification Script

Import-Module ActiveDirectory

$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody=”Name `t ExpireDate `t DaysToExpire `n”

(Get-ADUser -filter {(mail -like “*@domain.com”) -and (Enabled -eq “True”) -and (PasswordNeverExpires -eq “False”)} -properties *) | Sort-Object pwdLastSet |
foreach-object {

    $lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
    $expires=$lastset.AddDays($maxdays).ToShortDateString()
    $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
    $samname=$_.samaccountname
    $firstname=$_.GivenName
    if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
    #if ($daystoexpire -le 14) {
        $ThereAreExpiring=$true
        
         # CONFIG: Enter from email address.
        $emailFrom = “helpdesk@domain.com”
        # CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
        $emailTo = “$samname@domain.com”
        if ($daystoexpire -eq 0) {
        # CONFIG: Enter text for subject and body of email notification for zero days remaining.
            $subject = “$firstname, your password has expried!”
            $body = “$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.

Contact support at extension XXXX for assistance.”
        }
        Else {
        # CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining. 
            $subject = “$firstname, your password expires in $daystoexpire day(s)!”
            $body = “$firstname,
Your password expires in $daystoexpire day(s).

If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.

If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.

        }
        # CONFIG: Enter your smtp server here.
        $smtpServer = “email.domain.com”
        $smtp = new-object Net.Mail.SmtpClient($smtpServer)
        $smtp.Send($emailFrom, $emailTo, $subject, $body)   
       
        $summarybody += “$samname `t $expires `t $daystoexpire `n”
    }
    elseif ($daystoexpire -lt 0) {
        $ThereAreExpiring=$true
        # Add a note to the report email, but don’t notify user.
        $summarybody += “$samname `t $expires `t $daystoexpire `n”
    }
}
if ($ThereAreExpiring) {
    # CONFIG: From address for report to Helpdesk/IT Admin staff.
    $emailFrom = “helpdesk@domain.com”
    # CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
    $emailTo = “helpdesk@domain.com”
    # CONFIG: Subject for report email.
    $subject = “Expiring passwords”
    $body = $summarybody
    # CONFIG: SMTP Server.
    $smtpServer = “email.domain.com”
    $smtp = new-object Net.Mail.SmtpClient($smtpServer)
    $smtp.Send($emailFrom, $emailTo, $subject, $body)
}

10 thoughts on “Active Directory Password Expiration Email Notification

  1. Hi, Sorry English is my third language… Sorry for the following mess…Here is my 3 questions 1. Do I need to change de @domain.com form my domain name in this row (Get-ADUser -filter {(mail -like \”*@domain.com\”)2. On wich server I need to server I need to run this script.and finaly3. How can I revert this scriptRegard'sJack

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s