Password
expiry notify Script in AD.
Most of the companies uses
a password expiry age to their user’s password policy for better security. But
the main complaint that the users saying is that they are not aware of the
password expiry though there is a notification pop-up in system login and
exchange owa logins users usually neglects this or they fails to notice the
pop-up.
I have also suffered the exactly same issue in my work environment.
After a long research I found a useful script that will notify the end users
about their AD/Mail password expiry.
The script also send a report of whose passwords are going to
expire today to the defined mail addresses.
Working
The script will fetch the users list from AD and check whether
their passwords are going to expire in x days (We can of course define the
values) and if the “password never expires” option is checked the script will
neglect those users and send the notification mail to the rest of the users.
Script
Please go through the script and there are some values that we
have to edit.
·
Notification intervals.
·
Notification mail subject and body.
·
SMTP server configurations.
·
Password expiry report recipient mail
ids.
***********************************************************************
Import-Module ActiveDirectory
$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate
`t DaysToExpire `n"
(Get-ADUser -filter {(mail -like
"*@domain.com") -and (Enabled -eq "True") -and
(PasswordNeverExpires -eq "False")} -properties *) | Sort-Object
pwdLastSet |
foreach-object {
$lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
$expires=$lastset.AddDays($maxdays).ToShortDateString()
$daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End
$expires).TotalDays)
$samname=$_.samaccountname
$firstname=$_.GivenName
if (($daystoexpire -eq 10) -or ($daystoexpire -eq 5) -or ($daystoexpire
-eq 1) -or ($daystoexpire -eq 0)) {
#if ($daystoexpire -le 43) {
$ThereAreExpiring=$true
# CONFIG: Enter from email address.
$emailFrom =
"something@domain.com"
# CONFIG: Replace domain domain.com
with your email domain. Do not change $samname.
$emailTo =
"$samname@domain.com"
if ($daystoexpire -eq 0) {
# CONFIG: Enter text for subject and
body of email notification for zero days remaining.
$subject = "Your password has
expried!"
$body = "$firstname,
Your
password has expired and you must change it immediately. No further email
notifications will be sent.
Contact IT support Mobile: +xxxxx
| for assistance."
}
Else {
# CONFIG: Enter text for subject and
body of email notification for 14, 7, 3, and 1 days remaining.
$subject = "Your Email
password will expire in $daystoexpire day(s)!"
$body = "Hi $firstname,
Your password for the Mail/AD account will expire in $daystoexpire
day(s).
Please reset your password from ...,
account settings .
Password guidelines are as follows.
-
At least eight characters.
-
Changed every 45 days.
-
Don't use the last 3 passwords.
Your new password must contain
characters from three of the following four types:
-
At least one uppercase alphabetic letter
-
At least one lowercase alphabetic letter
-
At least one number, 0 through 9
-
At least one special, nonalphanumeric character, such as !, $, # and %
Usage
We can schedule the shell script from Windows Scheduler and trigger
it every day preferably early morning, so that the users will get the
notification daily.
For scheduling you can use a starter batch file and point it
to the shell script, something like this:
powershell.exe D:\script\notify.ps1
Hope this tutorial help you a little bit in your task,and thanks for reading.
No comments:
Post a Comment