Skip to content

Password Expire Notification Using PowerShell

$smtpServer=”mail.abc.com”
$expireindays = 14
$from = “Password.Expire@ABC.com”
$bccemailaddress = “Windows.admin@ABC.COM”
$logging = “Disabled” # Set to Disabled to Disable Logging
$logFile = “” # ie. c:\mylog.csv
$testing = “Disabled” # Set to Disabled to Email Users
$testRecipient = “windows.admin@abc.com”
$resetlink = “http://itservicedesk:7001/home”
$webmail = “https://webad.abc.com/rdweb”
#
###################################################################################################################

Set-ExecutionPolicy -ExecutionPolicy unrestricted -Force

# Check Logging Settings
if (($logging) -eq “Enabled”)
{
# Test Log File Path
$logfilePath = (Test-Path $logFile)
if (($logFilePath) -ne “True”)
{
# Create CSV File and Headers
New-Item $logfile -ItemType File
Add-Content $logfile “Date,Name,EmailAddress,DaystoExpire,ExpiresOn,Notified”
}
} # End Logging Check

ManageEngine Applications Manager

# System Settings
$textEncoding = [System.Text.Encoding]::UTF8
$date = Get-Date -format ddMMyyyy
# End System Settings

# Get Users From AD who are Enabled, Passwords Expire and are Not Currently Expired
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress |where {$_.Enabled -eq “True”} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
$DefaultmaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$DefaultmaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

# Process Each User for Password Expiry
foreach ($user in $users)
{
$Name = $user.GivenName
$emailaddress = $user.emailaddress
$passwordSetDate = $user.PasswordLastSet
$PasswordPol = (Get-AduserResultantPasswordPolicy $user)
$sent = “” # Reset Sent Flag
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}
else
{
# No FGP set to Domain Default
$maxPasswordAge = $DefaultmaxPasswordAge
}

$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days

# Set Greeting based on Number of Days to Expiry.

# Check Number of Days to Expiry
$messageDays = $daystoexpire

if (($messageDays) -gt “1”)
{
$messageDays = “in ” + “$daystoexpire” + ” days.”
}
else
{
$messageDays = “today.”
}

# Email Subject Set Here
$subject=”Your password will expire $messageDays”

# Email Body Set Here, Note You can use HTML, including Images.
$body = ”

This is an auto-reminder. Please do not reply to this mail. For queries, log a call in $resetlink

Dear $name,
This mail is a reminder for you to change your password, as it expires $messageDays
This is in line with the INDUS’s IT Security Policy. To change your password, please follow steps mentioned below.

Procedure for Password Change (Follow any one of the below options)

If you have connected and logged on to the ABC domain, from your desktop / Laptop you can change the password by pressing the Ctrl+Alt+Del keys, and clicking on Change password in the subsequent window

Logon to $webmail -> Click on Option(Top Right corner) -> Click on Change Password option. Enter the Old Password,New Password and Confirm New Password. Click on Save.

User Account Password Policy:

1.Maximum Password Age: Password expires in 90 days. (User will be prompted to change the password 14 days before expiry).

2.Passwords shall be minimum length of 8 characters.

3.The password contains characters from at least three of the following five categories:

  • English uppercase characters (A to Z)
  • English lowercase characters (a to z)
  • Base 10 digits (0 to 9)
  • Non-alphanumeric (For example: !, $, #, or %)
  • Unicode characters
  • 4.Password should not be contain following words in any form Indus and password.5.Last 5 passwords shall not be reused for any reasons.

    6.After 5 unsuccessful attempts, account shall be locked until the Helpdesk reactivates the account.

    Please Note:-
    After changing the password, it takes 15 mins for the new password to be effective. If you have opened your Mail client (Outlook) Please close and reopen it.
    If your laptop is on WI-FI Network, log off from the laptop and login back again after connecting LAN Network
    If your desktop/laptop is joined the abc domain, log off from the computer and login again.
    If you have any problem in resetting your Password Please contact INDUS Helpdesk .

    Thanks,

    INDUS Helpdesk Contact Details:
    Phone: +91-120-6134444
    Email:itservicedesk@abc.com

    # If Testing Is Enabled – Email Administrator
    if (($testing) -eq “Enabled”)
    {
    $emailaddress = $testRecipient
    } # End Testing

    # If a user has no email address listed
    if (($emailaddress) -eq $null)
    {
    $emailaddress = $testRecipient
    }# End No Valid Email

    # Send Email Message
    if (($daystoexpire -ge “0”) -and ($daystoexpire -lt $expireindays))
    {
    $sent = “Yes”
    # If Logging is Enabled Log Details
    if (($logging) -eq “Enabled”)
    {
    Add-Content $logfile “$date,$Name,$emailaddress,$daystoExpire,$expireson,$sent”
    }
    # Send Email Message
    Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -bcc $bccemailaddress -subject $subject -body $body -BodyAsHtml -priority High -Encoding $textEncoding

    active directory auditing solutions

    } # End Send Message
    else # Log Non Expiring Password
    {
    $sent = “No”
    # If Logging is Enabled Log Details
    if (($logging) -eq “Enabled”)
    {
    Add-Content $logfile “$date,$Name,$emailaddress,$daystoExpire,$expireson,$sent”
    }
    }

    }