Send-ADUserPasswordExpirationNotification.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<#
.Synopsis
   Send-ADUserPasswordExpirationNotification gets a list of users whose passwords are expiring
   and sends the user a email notification.
.DESCRIPTION
   Send-ADUserPasswordExpirationNotification gets a list of users whose passwords are expiring
   within a given number of days. The function outputs ADUser objects and requires
   the ActiveDirectory PowerShell module. You can use this script to run a report
   and then send a notification to users who need to change their passwords which
   would be particularly helpful to users who do not regularly log on to a domain
   computer.
.NOTES
   Created by: Jason Wasser @wasserja
   Modified: 5/13/2015 03:44:26 PM
   Changelog:
    * rewrite to use Get-ADUserPasswordExpiration instead of internal logic
.PARAMETER Username
   Defaults to wildcard *, but you can specify a username or pattern to search for specific
   usernames.
.PARAMETER NotificationStartDay
   Specify how many days prior to expiration to trigger the notification. Default is ten.
.PARAMETER SearchBaseDN
   Specify your domain or orgranization unit by distinguished name. Defaults to current
   domain DN.
.EXAMPLE
   Send-ADUserPasswordExpirationNotification
   Gets a list of all users in the current domain whose passwords are expiring within
   ten days and sends a notification.
.EXAMPLE
   Send-ADUserPasswordExpirationNotification -IncludePasswordNeverExpires
   Gets a list of all users in the current domain whose passwords are expiring within
   ten days and sends a notification including users whose password never expire.
.EXAMPLE
   Send-ADUserPasswordExpirationNotification -IncludePasswordNeverExpires -SearchBaseDN "OU=Departments,DC=Domain,DC=com"
   Gets a list of all users in the OU Departments whose passwords are expiring within
   ten days and sends a notification including users whose password never expire.
.LINK
    Send-ADUserPasswordExpirationNotification - https://gallery.technet.microsoft.com/scriptcenter/Send-PasswordExpirationNoti-f8eb2948
.LINK
    Get-ADUserPasswordExpiration - https://gallery.technet.microsoft.com/scriptcenter/Get-ADUserPasswordExpiratio-78bdea02
.LINK
    Write-Log - https://gallery.technet.microsoft.com/scriptcenter/Write-Log-PowerShell-999c32d0
#>

function Send-ADUserPasswordExpirationNotification
{
    [CmdletBinding()]
    [Alias()]
    Param
    (
        # Username
        [Parameter(Mandatory=$false,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]$Username='*',

        # How many days prior to expiration to trigger notification
        [int]$NotificationStartDay = 10,
        [string]$NotificationSenderAddress='no-reply@domain.com',
        [string]$NotificationSubject='Your password is about to expire',
        [string]$SMTPServer='smtp.domain.com',
        [string]$SearchBaseDN,
        [string[]]$ExpiringPasswordUserList = @(),
        [string]$SMTPUsername = 'anonymous',
        [string]$SMTPPassword = 'anonymous',
        [string]$ReportMessageBody = 'Please see attached for a list of users with an expiring password',
        [string]$ReportSubject='List of Users with Expiring Password',
        [string]$ReportTo='it@domain.com',
        [string]$ReportFrom='mrautomaton@domain.com',
        [string]$LogFileName = "C:\Logs\Send-PasswordExpiringNotification-$(Get-Date -Format 'yyyyMMddhhmmss').log",
        [switch]$IncludePasswordNeverExpires=$false
    )

    Begin
    {
        # Begin Logging
        Write-Log "--------------------------------------------" -Path $LogFileName
        Write-Log "Beginning $($MyInvocation.InvocationName) on $($env:COMPUTERNAME) by $env:USERDOMAIN\$env:USERNAME" -Path $LogFileName
                 
        # SMTP Authentication
        $SecurePassword = ConvertTo-SecureString -String $SMTPPassword -AsPlainText -Force
        $Credential = New-Object System.Management.Automation.PSCredential($SMTPUsername,$SecurePassword)
    }
    Process
    {
        
        Write-Log -Message "Getting list of users." -Path $LogFileName
        $Users = Get-ADUserPasswordExpiration -Username $Username -NotificationStartDay $NotificationStartDay -SearchBaseDN $SearchBaseDN -IncludePasswordNeverExpires $IncludePasswordNeverExpires
                
        Write-Log -Message "Processing list of users for password expiration notification" -LogPath $LogFileName
        foreach ($User in $Users) {
            $samaccountname = $user.samaccountname

            # Checking for Password Policy for user to calculate when password expires.
            $PSO = Get-ADUserResultantPasswordPolicy -Identity $samaccountname
            if ($PSO) {
                $expirydate = ($User.PasswordLastSet).AddDays($PSOMaxPasswordAge)
                }
            else {
                $expirydate = ($User.PasswordLastSet).AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)            
                }
            $delta = ($expirydate - (Get-Date)).Days


            Write-Log "$samaccountname password is expiring within $delta days." -LogPath $LogFileName          
            $expiringpassusers += $samaccountname
            if ($User.mail) {
                Write-Log "$samaccountname has email. Sending notification." -LogPath $LogFileName
                $mailBody = "Dear " + $user.GivenName + ",`r`n`r`n"            
                $mailBody += "Your Windows password for account $samaccountname will expire after $delta days. You will need to change your password to keep using your account. You will continue to receive a daily reminder until you do change it. `r`n`r`n"            
                $mailBody += "If you need any help resetting your password please contact our helpdesk at 555.555.5555 or internally at ext. 5555. `r`n`r`n" 
                $mailBody += "`r`n`r`n IT Department"     
                $usermailaddress = $user.mail            
                Send-MailMessage -To $usermailaddress -From $NotificationSenderAddress -Subject $NotificationSubject -SmtpServer $SMTPserver -Body $mailBody -Credential $Credential
                }
            else {
                Write-Log -Message "$samaccountname does not have an email address." -LogPath $LogFileName
                }
            }            
    }
    
    End
    {       
        # Clean up
        Write-Log "$($MyInvocation.InvocationName) complete." -Path $LogFileName -Level Info
        Write-Log "--------------------------------------------" -Path $LogFileName -Level Info
        
        # Sending Report
        if ($expiringpassusers) {
            Write-Log "Sending report of all users with expiring passwords to $ReportTo" -LogPath $LogFileName
            Send-MailMessage -To $ReportTo -From $ReportFrom -Subject $ReportSubject -Body $ReportMessageBody -SmtpServer $SMTPserver -Credential $Credential -Attachments $LogFileName
            }
        else {
            Write-Log -Message "No Users with expiring passwords." -LogPath $LogFileName
            }
    }
}