Monday 13 May 2013

Microsoft: Active Directory (AD) Password Expiry Email Notification and Summary Report

This Powershell script allows you to notify your users that their AD password will expire soon or has expired. Furthermore, as a system administrator, you are going to receive a list of users whose AD password is going to expire soon or has expired.


# Start of script
# Purpose:
# Powershell script to find out a list of users
# whose password is expiring within x number of days (as specified in $days_before_expiry).
# Email notification will be sent to them reminding them that they need to change their password.

#####################
# Variables to change
#####################
# Days to Password Expiry
$days_before_expiry = 14
# SMTP Server to be used
$smtp = "192.168.1.2"
# "From" address of the email
$from = "email@abc.com"
# Administrator email
$admin = "email@abc.com"
# Web address of your OWA url - tested only with Exchange 2007 SP2
$OWAURL = "mail.abc.com"
# First name of administrator
$AdminName = "System Administrator"
# Define font and font size
# ` or \ is an escape character in powershell
$font = "<font size=`"3`" face=`"Calibri`">"

##########################################
# Should require no change below this line
# (Except message body)
##########################################
function Send-Mail{
param($smtpServer,$from,$to,$subject,$body)
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
$mail.from = $from
$mail.to.add($to)
$mail.subject = $subject
$mail.body = $body
# Send email in HTML format
$mail.IsBodyHtml = $true
$smtp.send($mail)
}
# Newline character
#$newline = [char]13+[char]10
$newline = "<br>"
# Get today's day, date and time
$today = (Get-date)
# Loads the Quest.ActiveRoles.ADManagement snapin required for the script.
# (Will unload once powershell is exited)
# chose either one below
# Add-pssnapin "Quest.ActiveRoles.ADManagement"
# Get-PSSnapin "Quest.ActiveRoles.ADManagement"
add-pssnapin "Quest.ActiveRoles.ADManagement"
Set-QADPSSnapinSettings -DefaultSizeLimit 0

# Retrieves list of users whose account is enabled, has a passwordexpiry date and whose password expiry date within (is less than) today+$days_before_expiry
$users_to_be_notified = Get-QADUser  -SearchRoot "OU=USA,DC=abc,DC=local" -Enabled -passwordNeverExpires:$False | Where {($_.PasswordExpires -lt
$today.AddDays($days_before_expiry))}
# Send email to notify users
foreach ($user in $users_to_be_notified) {
# Calculate the remaining days
# If result is negative, then it means password has already expired.
# If result is positive, then it means password is expiring soon.
$days_remaining = ($user.PasswordExpires - $today).days
        # Set font for HTML message
        $body = $font
        # For users whose password already expired
        if ($days_remaining -le 0) {
                # Make the days remaining positive (because we are reporting it as expired)
                $days_remaining = [math]::abs($days_remaining)
                # Add it in a list (to be sent to admin)
                $expired_users += $user.name + " - <font color=blue>" + $user.LogonName + "</font>'s password has expired <font color=blue>" + $days_remaining + "</font> day(s) ago." + $newline
                # If there is an email attached to profile
                if ($user.Email -ne $null) {
                        # Email notification to user
                        $to = $user.Email
                        $subject = "Reminder - Password has expired " + $days_remaining + " day(s) ago."
                        # Message body is in HTML font
                        $body += "Dear " + $user.givenname + "," + $newline + $newline
                        $body += "This is a friendly reminder that your password for account'<font color=blue>" + $user.LogonName + "</font>' has already expired "+ $days_remaining + " day(s) ago." + $newline + $newline
                        $body += "Please contact email@abc.com ( EXT. 9999 ) to arrange for your password to be reset."
                        }
                else {
                        # Email notification to administrator
                        $to = $admin
                        $subject = "Reminder - " + $user.LogonName+ "'s Password has expired " + $days_remaining + " day(s) ago."
                        # Message body is in HTML font
                        $body += "Dear administrator," + $newline + $newline
                        $body += "<font color=blue>" + $user.LogonName+ "</font>'s password has expired <font color=blue>" + $days_remaining + " day(s) ago</font>."
                        $body += " However, the system has detected that there is no emailaddress attached to the profile."
                        $body += " Therefore, no email notifications has been sent to " + $user.Name + "."
                        $body += " Kindly reset the password and notify user of the password change."
                        $body += " In addition, please add a corresponding email address to the profile so emails can be sent directly for future notifications."
                        }
                # Put a timestamp on the email
                $body += $newline + $newline + $newline + $newline
                $body += "<h5>Message generated on: " + $today + ".</h5>"
                $body += "</font>"
                # Invokes the Send-Mail function to send notification email
# Comment out this line if you do not want to send email to users with already expired passwords.
                Send-Mail -smtpServer $smtp -from $from -to $to -subject $subject -body $body
        }
        # For users whose password is expiring
        # if ($days_remaining -gt 0) {
        else {
                # Add it in a list (to be sent to admin)
                $expiring_users += $user.name + " - <font color=blue>" +$user.LogonName + "</font> has <font color=blue>" + $days_remaining +"</font> day(s) remaing left to change his/her password." + $newline
                # If there is an email attached to profile
                if ($user.Email -ne $null) {
                        # Email notification to user
                        $to = $user.Email
                        $subject = "Reminder - Password is expiring in " + $days_remaining +" day(s)."
                        # Message body is in HTML font
                        $body += "Dear " + $user.givenname + "," + $newline + $newline + $newline
                        $body += "This is a friendly reminder that your AD account password '<font color=blue>" + $user.LogonName + "</font>' is due to expire in "+ $days_remaining + " day(s)." + $newline + $newline + $newline
                        $body += "Please refer to the links below for quick guides" + $newline + $newline
                        $body += "For Windows user:" + $newline
                        $body += "\\fileserver\Public\Change_Windows_Password.pdf" + $newline + $newline
                        $body += "For Mac user:" + $newline
                        $body += "smb://fileserver/Share/Change_Mac_Password.pdf" + $newline + $newline
                        $body += "Please remember to change your password before <fontcolor=blue>" + $user.PasswordExpires.date.tostring('dd/MMM/yyyy') +"</font>."
                        }
                else {
                        # Email notification to administrator
                        $to = $admin
                        $subject = "Reminder - " + $user.LogonName+ "'s Password is expiring in " + $days_remaining + " day(s)."
                        # Message body is in HTML font
                        $body += "Dear administrator," + $newline + $newline
                        $body += "<font color=blue>" + $user.LogonName+ "</font>'s passwordis expiring in <font color=blue>" + $days_remaining + " day(s)</font>."
                        $body += " However, the system has detected that there is no emailaddress attached to the profile."
                        $body += " Therefore, no email notifications has been sent to " +$user.Name + "."
                        $body += " Kindly remind him/her to change the password before <fontcolor=blue>" + $user.PasswordExpires.date.tostring('dd/MMM/yyyy') +"</font>."
                        $body += " In addition, please add a corresponding email address to the profile so emails can be sent directly for future notifications."
                        }
                # Put a timestamp on the email
                $body += $newline + $newline + $newline + $newline
                $body += "<h5>Message generated on: " + $today + ".</h5>"
                $body += "</font>"
                # Invokes the Send-Mail function to send notification email
                Send-Mail -smtpServer $smtp -from $from -to $to -subject $subject -body $body
        }
}
# If there are users with expired password or users whose password is
# expiring soon
if ($expired_users -ne $null -or $expiring_users -ne $null) {
                # Email notification to administrator
                $to = $admin
                $subject = "< Info > Password Expiry Report"
                # Message body is in HTML font        
                $body = $font
                $body += "Dear " + $AdminName + ","+ $newline + $newline
                $body += "The following users' passwords are expiring soon or have already expired." + $newline + $newline + $newline
                $body += "<b>Users with expired passwords:</b>" + $newline
                $body += $expired_users + $newline + $newline
                $body += "<b>Users with passwords expiring soon:</b>" + $newline
                $body += $expiring_users
                # Put a timestamp on the email
                $body += $newline + $newline + $newline + $newline
                $body += "<h5>Message generated on: " + $today + ".</h5>"
                $body += "</font>"
                # Invokes the Send-Mail function to send notification email
                Send-Mail -smtpServer $smtp -from $from -to $to -subject $subject -body $body
}
# End of script 
Posted by at

2 comments:

Subscribe to: Post Comments (Atom)