If
you have users in your Active Directory network in large numbers who logon in
their AD account rarely then it might be possible that they face password
expiration problem for their accounts. On the other hand there might be some
users who do not pay required attention on the pop-up messages that appear on
their Windows screen to remind about password expiration. Thus results, increase
in number of help desk phone calls, emails and tickets for resetting password.
Most
of the IT administrators do not much pleasure while resetting passwords as this
task involves lot of time and efforts of IT staff.
What
is the best way to minimize the possibility of password expiration? The answer
is, send an automatic email notification to users whose password is expiring
soon.
Now,
the question is…..how we can do this. This is can be achieve either by using
Power Shell script or by using any automated password expiration notification
software.
I found a PowerShell script on web to send password
expiry notification on http://www.itouthouse.com/2012/06/active-directory-password-expiration.html
blog. This script does well for sending notification to users whose password is
expiring in 14, 7, 3, 1 and 0 days. Import-Module ActiveDirectory
$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"
(Get-ADUser -filter {(mail -like "*@domain.com") -and (Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet |
foreach-object {
$lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
$expires=$lastset.AddDays($maxdays).ToShortDateString()
$daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
$samname=$_.samaccountname
$firstname=$_.GivenName
if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
#if ($daystoexpire -le 14) {
$ThereAreExpiring=$true
# CONFIG: Enter from email address.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
$emailTo = "$samname@domain.com"
if ($daystoexpire -eq 0) {
# CONFIG: Enter text for subject and body of email notification for zero days remaining.
$subject = "$firstname, your password has expried!"
$body = "$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.
Contact support at extension XXXX for assistance."
}
Else {
# CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining.
$subject = "$firstname, your password expires in $daystoexpire day(s)!"
$body = "$firstname,
Your password expires in $daystoexpire day(s).
If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.
If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.
"
}
# CONFIG: Enter your smtp server here.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
elseif ($daystoexpire -lt 0) {
$ThereAreExpiring=$true
# Add a note to the report email, but don't notify user.
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
}
if ($ThereAreExpiring) {
# CONFIG: From address for report to Helpdesk/IT Admin staff.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
$emailTo = "helpdesk@domain.com"
# CONFIG: Subject for report email.
$subject = "Expiring passwords"
$body = $summarybody
# CONFIG: SMTP Server.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)