Wednesday, February 20, 2013
Powershell Script to Send Password expiry notification to users
Hi All,
I am looking for a right script to send a password change notification users whose password is expiring in less than 15 days time. So I Google around found few but not all are that convincing.
Hope somebody can use below code.
[code]#********************************************************************************* #
# #
# PowerShell script to gather Password expiry date for all users and --- #
# send e-mail notification to user with Password expiry date less than 15 Days #
# #
# Created by Vipin Vasudevan #
# #
#********************************************************************************* #
# Set the target OU that will be searched for user accounts
param ($OUDNPath = "CN=USERSDC=DOMAIN,DC=COM")
$objuser= $null
$objou= [ADSI]"LDAP://$OUDNPATH"
$searchad= [System.DirectoryServices.DirectorySearcher]$objou
# LDAP Filter for searching user account
$searchad.Filter ="(&(objectcategory=person)(objectclass=user)(!useraccountcontrol=514))"
$searchad.PageSize= 1000
$searchad.searchscope= "Subtree"
# Fill in the user variables
[void]$searchad.PropertiesToLoad.Add("samaccountname")
[void]$searchad.PropertiesToLoad.Add("lastlogontimestamp")
[void]$searchad.PropertiesToLoad.Add("pwdlastset")
[void]$searchad.PropertiesToLoad.Add("name")
[void]$searchad.PropertiesToLoad.Add("mail")
$objusers = $searchad.findall()
# Take each users to calculate las passowrd reset time and Expire date
foreach ($evuser in $objusers)
{
# Calculating the Last password reset date
$lastpwdchng = $($evuser.properties.pwdlastset[0])
# Convert the 'pwdlastset' NT system time into a readable format
$lastpwdchng = [datetime]::fromfiletime($lastpwdchng)
# Enumerate "Name, Mail and Samaccountname" attribute value for each users
$name = $($evuser.properties.name)
$mail = $($evuser.properties.mail)
$sam = $($evuser.properties.samaccountname)
# Convert SAMaccountName to UserprincipalName
$upn = $sam + "@DOMAIN.com"
# Define the default password age ( maximumPasswordAge ) and get current date to '$today'
$policy = 45
$today = Get-Date
# Identify the current password age to '$daystoexpiry'
$daystoexpiry = ($today - $lastpwdchng).Days
# Identify the days remaining to expire password checking password age with default password age.
$balance = $policy - $daystoexpiry
# Identify Date and time passsword is going to expire by adding 45 days to Last password set date.
$expireyday= $lastpwdchng.Adddays(45)
# Check users that have a password expiring in 15 days or less
If ($balance -lt 15 -and $balance -gt 0)
{
# Write-Host $name with $balance days to resset his password mail need to send to $mail
# E-mail structure with message body
$WarnMsg = "
<p><u><span style='font-size:10.0pt;font-family:Century Gothic'>This is an automatically generated message from the Active Directory System</span></u> </p>
<p style='font-family:Century Gothic'>Dear $name,</p>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>This is to inform you, that your AD account ( $upn ) password is due to expire <span class=GramE>on $expireyday IST</span>. (<%pwdExpiryDate+pst%>) <br> If you are directly logging to the <b><span style='color:red'>DOMAIN.com</span></b> Windows active directory Network, please change the password using built-in windows feature<br> (Use ctrl-alt-del and select change password). <br> If not please go to the site <a href='https://portal.DOMAIN.com'>https://portal.DOMAIN.com</a> use your existing credentials to login and change your password. <br> </span></p>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>If you have problems changing your AD account password please raise a ticket by contacting <span class=SpellE>ISHelpDesk</span> at <br> From US : + 1-949-600-5511 <br> From India : 0471–4041111/ 0471 4041112 <br> Email:<span style='color:blue'> <a href='mailto:ISHelpdesk@DOMAIN.com'>ISHelpdesk@DOMAIN.com</a></span> </span></p>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>Your Password was last changed on $lastpwdchng IST. (<%pwdLastSet+pst%>)</span></p>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>Your AD credentials are used to access all corporate services and an account lock out will lead to loss of productive time.</span></strong> </p>
<p class=MsoNormal><u><span style='font-size:10.0pt;font-family:Century Gothic'>Your password should meet the following conditions.</span></u></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>Your password must contain a minimum of 8 characters</span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>Password must be a combination of upper and lower case characters, numerals (0 - 9) and non-alphabetic characters (!,$,%,&,...)</span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>Your password must not contain part of the account or your proper name</span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>The system will not accept your previous 24 passwords</span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>Please change your password every 45 days. The system will prompt you to do so</span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo3;tab-stops:list .5in'><span style='font-size:10.0pt;
font-family:Century Gothic'>Warning: Your account will be locked if 5 attempts to change passwords fail due to invalid entries. Please contact Helpdesk [Phone: 1111/1112 (VOIP) or 0471-4041112 (India PSTN) or 9496005511 (US Users)] for assistance</span></li>
</ul>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>Thank you, </span></p>
<p><span style='font-size:10.0pt;font-family:Century Gothic'>Active Directory Support Team </span></p>
<p><b><span style='font-size:9.0pt;font-family:Century Gothic'>Confidentiality Notice:</span></b><span style='font-size:10.0pt;font-family:Century Gothic; color:navy'><br> <br>
</span><span style='font-size:10.0pt;font-family:Century Gothic'>This message and any attachment(s) contained here are information that is confidential, proprietary to <span class=SpellE><b><i><span style='color:#FF3300'>U</span><span style='color:red'>Organization</span></i></b></span> and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the individual or the entity it is addressed to. If you are not the intended recipient of this message, you are not authorized to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer. <o:p></o:p></span></p>
"
$recipients1="ADTeam@DOMAIN.com"
# Send Email to user that password is going to expire
send-mailmessage -from ISHelpdesk@DOMAIN.com -to $mail -Bcc $recipients1 -subject "Change Password" -body $WarnMsg -smtpServer <IPADDRESS> -BodyAsHtml
}
}
[/code]
For more scripts and solutions Please visit http://vipinvasudevan.blogspot.in/
Above script you may find here is ready to use, BUT RUN IT ON YOUR OWN RISK!!!!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment