Create Task in Task Scheduler that running on all Active Directory users And send email to the user that he needs to change password day after day.
Add arguments —> file "C:\Scripts\PwdExpireHTML.Ps1"
The Script :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
################################################################################################################# # # Version 1.0 01.2021 # Uriel Zion # Https://uriel.zion.com # Script to Automated Email Reminders when Users Passwords due to Expire. # # Requires: Windows PowerShell Module for Active Directory # # ################################################################################################################## # Please Configure the following variables.... $smtpServer="SmtpServer" $expireindays = 14 $from = "Administrator@Domain_Name" $logging = "Enabled" # Set to Disabled to Disable Logging $logFile = "c:\scripts\pwdexpirehtml\PwdExipreHTML.csv" # ie. c:\mylog.csv $testing = "Disabled" # Set to Disabled to Email Users $testRecipient = "Email_Address" $date = Get-Date -format ddMMyyyy # ################################################################################################################### # Check Logging Settings if (($logging) -eq "Enabled") { # Test Log File Path $logfilePath = (Test-Path $logFile) if (($logFilePath) -ne "True") { # Create CSV File and Headers New-Item $logfile -ItemType File Add-Content $logfile "Date,Name,EmailAddress,DaystoExpire,ExpiresOn" } } # End Logging Check # Get Users From AD who are Enabled, Passwords Expire and are Not Currently Expired Import-Module ActiveDirectory $users = get-aduser -filter * -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false } $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge # Process Each User for Password Expiry foreach ($user in $users) { $Name = (Get-ADUser $user | foreach { $_.Name}) $emailaddress = $user.emailaddress $passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet }) $PasswordPol = (Get-AduserResultantPasswordPolicy $user) # Check for Fine Grained Password if (($PasswordPol) -ne $null) { $maxPasswordAge = ($PasswordPol).MaxPasswordAge } $expireson = $passwordsetdate + $maxPasswordAge $today = (get-date) $daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days # Set Greeting based on Number of Days to Expiry. # Check Number of Days to Expiry $messageDays = $daystoexpire if (($messageDays) -ge "1") { $messageDays = "in " + "$daystoexpire" + " days." } else { $messageDays = "today." } # Email Subject Set Here $subject="Your password will expire $messageDays" # Email Body Set Here, Note You can use HTML, including Images. $body =" Dear $name, <p> Your Password will expire $messageDays.<br> <p>To change your password, follow the method below</p> <p>On your Windows computer</p> <p>a. If you are<strong> not</strong> in the office, logon and connect to VPN</p> <p>b. Log onto your computer as usual and make sure you are connected to the internet</p> <p>c. Press Ctrl-Alt-Del and click on ""Change Password""</p> <p>d. Fill in your old password and set a new password. See the password requirements below</p> <p>e Press OK to return to your desktop. </p> <p> </p> <p>The new password must meet the minimum requirements set forth in our corporate policies including:</p> <p>1. It must be at least 8 characters long.</p> <p>2. It must contain at least one character from 3 of the 4 following groups of characters:</p> <p> a. Uppercase letters (A-Z)</p> <p> b. Lowercase letters (a-z)</p> <p> c. Numbers (0-9)</p> <p> d. Symbols (!@#$%^&*...)</p> <p>3. It cannot match any of your past 6 passwords.</p> <p>4. It cannot contain characters which match 3 or more consecutive characters of your username</p> <p> </p> <p>If you have any questions please contact our Support team at "Support_Mail@DomainName";</p> <p>or call us at "Support Number"</p> <p> </p> <p>Thanks,</p> <p>System IT</p> <p>CompanyName</p> <p>" # If Testing Is Enabled - Email Administrator if (($testing) -eq "Enabled") { $emailaddress = $testRecipient } # End Testing # If a user has no email address listed if (($emailaddress) -eq $null) { $emailaddress = $testRecipient }# End No Valid Email # Send Email Message if (($daystoexpire -ge "0") -and ($daystoexpire -lt $expireindays)) { # If Logging is Enabled Log Details if (($logging) -eq "Enabled") { Add-Content $logfile "$date,$Name,$emailaddress,$daystoExpire,$expireson" } # Send Email Message Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High } # End Send Message } # End User Processing # End |
Result :
