-
Notifications
You must be signed in to change notification settings - Fork 1
/
AD_Expiring_Password_Notify.ps1
216 lines (190 loc) · 7.87 KB
/
AD_Expiring_Password_Notify.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
cls
#----------------------------------------------------------------------
# Modified by: Clayton Kramer [email protected]
# Lasted Modified: Tue 01 Feb 2011 04:44:24 PM EST
#
# Based on original script Levente Veres (bergermanus)
# Contact: http://my.bergersoft.net
# Link: http://my.bergersoft.net/2009/05/26/how-to-send-password-expire-alert-to-ad-users-with-powershell/
# Description: The current script send Alert for users before they password
# expires. You can set some values to configure this script.
#-----------------------------------------------------------------------
import-module ActiveDirectory
# Set the max day before expiration alert
$max_alert = 7
# Set STMP values
$smtpServer = "localhost"
$smtpFrom = "[email protected]"
# Administrator email (comma deliminate multiple addresses)
$adminEmail = "[email protected]"
# Organization Name
$orgName = "My Company"
# Function to send email to each user
function send_email_user ($remainingDays, $email, $name, $account, $smtpServer, $smtpFrom)
{
$today = Get-Date
$dateExpires = [DateTime]::Now.AddDays($remainingDays) ;
$smtpClient = new-object system.net.mail.smtpClient
$mailMessage = New-Object system.net.mail.mailmessage
$smtpClient.Host = $smtpServer
$mailMessage.from = $smtpFrom
$mailmessage.To.add($email)
$mailMessage.Subject = "$name, your domain password expires soon."
$mailMessage.IsBodyHtml = $true
$body = @"
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<style type="text/css">
BODY{font-family: Verdana, Calibri, Arial;font-size: 12px;}
</style>
<title></title>
</head>
<body>
<b>Dear $name</b>,
<p>This is a reminder that your network password for account <b>$account</b> will expire in <b>$remainingDays days</b>. If you do not change it by <b>$dateExpires</b>, you will not be able to connect to the $orgName network.</p>
<b>Policy</b>
<p>Passwords must meet the following minimum requirements:</p>
<ul>
<li>Not contain the your account name or parts of the your full name that exceed two consecutive characters</li>
<li>Be at least seven characters in length</li>
<li>Cannot be a previously used password</li>
</ul>
<p> Contain characters from three of the following four categories:</p>
<ul>
<li>English uppercase characters (A through Z)</li>
<li>English lowercase characters (a through z)</li>
<li>Base 10 digits (0 through 9)</li>
<li>Non-alphabetic characters (for example, !, $, #, %)</li>
</ul><b>Instructions</b>
<p>Follow the steps below to change your password:</p>
<p>Windows Users</p>
<ol>
<li>Press CTRL+ALT+DEL</li>
<li>On the screen that came choose <i>Change password</i></li>
<li>Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)</li>
<li>After the change is complete you will be prompted with information that passwor has been changed</li>
</ol>
<p>Linux Users</p>
<ol>
<li>Open a terminal</li>
<li>Execute the <i>passwd</i> command.</li>
<li>Enter your current password.</li>
<li>Type your new password (be advised you cannot use one of the previously used passwords)</li>
<li>Provide the new password again at the confirmation prompt</li>
</ol>
<p>For questions or comments please contact your system administrator.</p>
<hr noshade>
<p>Generated on : $today</p>
</body>
</html>
"@
$mailMessage.Body = $body
$smtpClient.Send($mailmessage)
#$body | out-File "usermsg.html"
}
# Send report for Admins
function send_email_admin($body, $smtpServer, $smtpFrom, $adminEmail)
{
$smtpClient = new-object system.net.mail.smtpClient
$mailMessage = New-Object system.net.mail.mailmessage
$smtpClient.Host = $smtpServer
$mailMessage.from = $smtpFrom
$mailMessage.Subject = "[Report] Domain Password Expiration"
$mailMessage.IsBodyHtml = $true
$mailMessage.Body = $body
$mailMessage.Body += "`n"
foreach ($a in $adminEmail.Split(",")){
$mailMessage.To.add($a)
}
$smtpClient.Send($mailMessage)
}
# Search for the active directory users with following conditions
# 1. Is in USER category
# 2. Is loged in more that 1 times for eliminate the system accounts
# 3. Eliminate the Disbaled Accounts
$userlist = @()
$strFilter = "(&(objectCategory=User)(logonCount>=1)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$colResults = $objSearcher.FindAll();
# Get the default domain password policy (Powershell 2.0)
$passPolicy = Get-ADDefaultDomainPasswordPolicy
$MaxPwdAge = [INT]$passPolicy.MaxPasswordAge.TotalDays
foreach ($objResult in $colResults)
{
$objItem = $objResult.Properties;
if ( $objItem.mail.gettype.IsInstance -eq $True)
{
#Transform the DateTime readable
$userLogon = [datetime]::FromFileTime($objItem.lastlogon[0])
$result = $objItem.pwdlastset
$userPwdLastSet = [datetime]::FromFileTime($result[0])
#calculate the difference in Day
$diffDate = [INT]([DateTime]::Now - $userPwdLastSet).TotalDays;
# Get users that are about to expire but no those that are already expired
# This way the script can run once every day without spamming users who might be on leave.
if ((($MaxPwdAge - $diffDate) -le $max_alert) -and ($diffDate -gt 0)) {
$selectedUser = New-Object psobject
$selectedUser | Add-Member NoteProperty -Name "Name" -Value $objItem.name[0]
$selectedUser | Add-Member NoteProperty -Name "Account" -Value $objItem.userprincipalname[0]
$selectedUser | Add-Member NoteProperty -Name "Email" -Value $objItem.mail[0]
$emailLink = "<a href='mailto:" + $objItem.mail[0] + "'>" +$objItem.mail[0] + "</a>"
$selectedUser | Add-Member NoteProperty -Name "EmailLink" -Value $emailLink
$selectedUser | Add-Member NoteProperty -Name "LastLogon" -Value $userLogon
$selectedUser | Add-Member NoteProperty -Name "LastPwdSet" -Value $userPwdLastSet
$selectedUser | Add-Member NoteProperty -Name "Ellapsed" -Value $diffDate
$selectedUser | Add-Member NoteProperty -Name "Remaining" -Value ($MaxPwdAge-$diffDate)
$userlist += $selectedUser
}
}
}
# Send email for each user
foreach ($user in $userlist )
{
send_email_user $user.Remaining $user.Email $user.Name $user.Account $smtpServer $smtpFrom
}
# Send email for Admins in reporting format if there are any users to report
if ( $userlist.Count -gt 0 )
{
$today = Get-Date
$style = @"
<style type="text/css">
body{background-color:#FFFFFF;font: 10pt/1.5 Verdana, Calibri, Arial;}
h1, h2, h3, h4, h5, h6 {
line-height: 120%;
margin: 0 0 0.5em 0;
color: #252525;
}
table {
border: 1px solid #CCC;
font-size:12px;
white-space: nowrap;
}
th {
border: 1px solid #CCC;
padding: 10px;
background-color:#FF4040;
height: 40px;
}
td{
border: 1px solid #CCC;
padding: 10px;
background-color:#FEFEFE;
height: 40px }
</style>
"@
$body = @"
<h2>AD password expiration status report</h2>
<hr noshade/>
<p>The following users have passwords nearing expiration.</p>
<p>Generated: $today</p>
"@
# Convert the userlist into an HTML report and email to administrators
$bodyme = $userlist | Select-Object Name, EmailLink, LastLogon, LastPwdSet, Ellapsed, Remaining | Sort-Object "RemainingDay" | ConvertTo-Html -Title "Active Directory password Status" -Body $body -head $style | % {$_.replace("<","<").replace(">",">").replace("EmailLink","Email")} | foreach {$_ -replace "<table>", "</table><table cellspacing=0 width=90%>"}
send_email_admin $bodyme $smtpServer $smtpFrom $adminEmail
#$bodyme | out-File "output.html"
}