We all have that set of users that either mainly use a mobile device for email access or possibly a client running a non Microsoft Windows OS as their main workstation.
Those users don’t get that friendly reminder to change their password that comes with logging onto a Windows OS near to their domain password expiration date, and this usually ends up with passwords expiring and phone calls to the IT Helpdesk to change them.
Wouldn’t it be much simpler if that group of users were emailed near to the time of password expiration, allowing the user to logon to OWA and change their password in their own time, negating the need for calls to the IT Helpdesk. In an attempt to reduce some of those calls to our own IT Helpdesk I wrote a PowerShell script to email members of a security group every day when their domain password was due to expire in 10 days or less.
Thanks to @AdamFowler_IT for a good bit of the code. See his post here.
#################################################
# Please Configure the following variables….
# expireindays1 + 2 = At what count of days left on a password do you want a notification?
$smtpServer=”mail.org.ie”
$expireindays1 = 10
$expireindays2 = 1
$from = “ITHelpdesk@org.ie”
#################################################
cls
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$GroupMembers = Get-ADGroupMember -Server domain.org.ie “Mobile Users” | where {$_.objectclass-eq “user”} | Select SamAccountName | Out-File c:\temp\users.txt
$a, ${c:\temp\users.txt} = Get-Content c:\temp\users.txt
$a, ${c:\temp\users.txt} = Get-Content c:\temp\users.txt
$a, ${c:\temp\users.txt} = Get-Content c:\temp\users.txt
$GroupMembers = Get-Content C:\temp\users.txt
$GroupMembers | ForEach {$_.TrimEnd()} | Set-Content C:\temp\users.txt
(gc C:\temp\users.txt) | ? {$_.trim() -ne "" } | set-content C:\temp\users.txt
$GroupMembers = Get-Content C:\temp\users.txt
foreach ($user in $GroupMembers)
{
$CheckForNullPasswordSetDate = (get-aduser -Server domain.org.ie $user -properties passwordlastset | foreach { $_.PasswordLastSet })
if ($CheckForNullPasswordSetDate -ne $null)
{
$Name = Get-ADUser -Server domain.org.ie $user -Properties *
$emailaddress = $name.emailaddress
$givenname = $name.GivenName
$passwordSetDate = (get-aduser -Server domain.org.ie $user -properties passwordlastset | foreach { $_.PasswordLastSet })
$PasswordPol = (Get-AduserResultantPasswordPolicy -Server domain.org.ie $name)
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}
else
{
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
if ($daystoexpire -le 0)
{
$subject=”IT Helpdesk Notification - Your domain password has expired”
}
else
{
$subject=”IT Helpdesk Notification - Your domain password will expire in $daystoExpire days”
}
if ($daystoexpire -le 0)
{
$subject=”IT Helpdesk Notification - Your domain password has expired”
}
else
{
$subject=”IT Helpdesk Notification - Your domain password will expire in $daystoExpire days”
}
if ($daystoexpire -le 0)
{
$body =”
Dear $givenname,
Your domain account password has expired.
To change your password please contact the
IT Helpdesk.
Regards,
IT Helpdesk
}
else
{
$body =”
Dear $givenname,
Your domain account password will expire in $daystoexpire day(s).
To change your password please logon to OWA and choose OPTIONS and CHANGE PASSWORD.
Regards,
IT Helpdesk
}
if ($daystoexpire -le 10)
{
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -cc "ithelpdesk@org.ie" -subject $subject -body $body -bodyasHTML -priority High
}
}
else
{
Write-Warning "Last Password Set is null for $user"
}
}
Things that cross my mind... 