UPDATE 2016-05-09: see https://jorgequestforknowledge.wordpress.com/2016/05/09/notifying-users-by-e-mail-their-password-is-going-to-expire-update-5/
–
Almost 6 years ago I wrote a blog post about and also wrote a tool to notify users through e-mail when their password was going to expire. You can read all the details about the idea here. Now that tool was very inflexible and because of that I received numerous requests to make it more flexible such as the ability to customize the e-mail message. With this blog post I’m sharing a brand new tool, based upon PowerShell, that will notify users through e-mail when their password is going to expire. So let’s get started in explaining on this works! I did not test all combinations! However, I do expect it to run on any Windows version as long as PowerShell is available. It should also work against any AD version and there is NO dependency on using the AD PowerShell CMDlets!. Everything is done through ADSI to be independent of Windows versions! It will also support PSOs if the DFL is high enough and PSOs are configured!
–
SYNTAX:
- <PoSH Script File> –> Runs The Script In Test Mode While NOT Sending Any E-Mails
- <PoSH Script File> -force:$true –> Runs The Script In DEV (One Mail To Configured Admin) Or TEST (All Mails To Configured Admin) Or PROD (Mails To Users) Mode While Sending Any E-Mails
–
Please provide feedback through the comments section OR you the contact page
–
DISCLAIMER (READ THIS!):
- I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
- The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
- This script is furnished "AS IS". No warranty is expressed or implied!
- I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
- Always test first in lab environment to see if it meets your needs!
- Use this script at your own risk!
- I do not warrant this script to be fit for any purpose, use or environment!
- I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
- I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
- I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
- If you do not accept these terms do not use the script in any way and delete it immediately!
–
REMARKS (READ THIS!):
- The script requires PowerShell v2.0 at a minimum
- This script must be able to read the contents of the PSO container in every AD domain the script will target!. By default only Domain Admins can read this.
- It is therefore needed to delegate those permissions to the account executing this PoSH script.
- For more information about this see the blog post: https://jorgequestforknowledge.wordpress.com/2007/08/09/windows-server-2008-fine-grained-password-policies/
- DSACLS "\\<Some RWDC>\CN=Password Settings Container,CN=System,<Your AD domain DN>" /G "<Some Security Principal>:GR" /I:T
- This assign <Some Security Principal> with Allow:Read on the Password Settings Container including its descendant objects
–
The tool uses an XML called "AD-Pwd-Exp-Notify.xml". It is pre-filled with examples from my test/demo environment. Make sure to change as needed to accommodate your own environment and requirements!
–
The script has four execution modes. When NOT running the PowerShell script with the ‘-force’ parameter, it will by default run in TEST mode without sending any e-mail to users regarding password expiry ("TEST (NO MAILINGS)"), no matter what the configuration in the XML files specifies. When running the PowerShell script with the ‘-force’ parameter, it will look in the XML file to see which execution mode to run in. When "DEV" is specified it will only send 1 mail to the SMTP address of the admin user specified in the "toSMTPAddressInTestMode" configuration field. This mode allows you to develop the solution being swamped in e-mails or impacting your users. When "TEST" is specified it will only send all mails to the SMTP address of the admin user specified in the "toSMTPAddressInTestMode" configuration field. This mode allows you to see/experience what your scoped/targeted users would see/experience without actually impacting them. When "PROD" is specified it will only send all mails to the SMTP address of the individual users. This really sends the e-mails to all the scoped/targeted individual users.
<!– Execution Mode: DEV (1 Mail To Admin User) or TEST (All Mails To Admin User) or PROD (All Mails To Individual Users) –>
<executionMode>DEV</executionMode>
–
The PowerShell script sends e-mail, therefore it requires a FROM e-mail address
<!– The SMTP Address Used In The FROM Field –>
<mailFromSender>general.DO-NOT-REPLY@iamtec.nl</mailFromSender>
–
To develop the solution and test it you can specify an SMTP address that will be used to send e-mails to, without impacting the real user community. That SMTP address will also be used for notifications is the SMTP server or DC is unavailable.
<!– The SMTP Address Used When Running In DEV/TEST Mode And Also Used For Notifications –>
<toSMTPAddressInTestMode>adm.root@iamtec.nl</toSMTPAddressInTestMode>
–
The PowerShell script sends e-mail, therefore it requires an SMTP server. A test connection to the SMTP server is made. If it fails the script aborts!
<!– FQDN Of The Mail Server Or Mail Relay –>
<smtpServer>MAIL.IAMTEC.NET</smtpServer>
–
The priority of the mail send can be configured as Low, Normal or High
<!– The Priority Of The Message: Low, Normal, High –>
<mailPriority>High</mailPriority>
–
The script supports multi-lingual messages. You must always specify a default language and for each language you must also specify a mail subject and the full path to HTML body file that contains the text in a specific language. Both the subject and the body support variables that can be replaced by the actual values. The script contains an example for US (English) and the same example for NL (Dutch).
<!– The File With The HTML Body Text For A Specific Language And The Subject. Supported Variables: FIRST_NAME, LAST_NAME, DISPLAY_NAME, FQDN_DOMAIN, PWD_EXPIRE_IN_NUM_DAYS, PWD_EXPIRY_DATE, PWD_MIN_LENGTH, PWD_MIN_AGE, PWD_MAX_AGE, PWD_HISTORY, PWD_COMPLEX, PWD_CHANGE_RESET_URL –>
<htmlBodyFiles>
<htmlBodyFile language="default" mailSubject="Expiring Password In Approx. PWD_EXPIRE_IN_NUM_DAYS Days – Change Your Password As Soon As Possible!" fullPath="D:\TEMP\ADPwdExpNotifyMessageBody_US.html" />
<htmlBodyFile language="US" mailSubject="Expiring Password In Approx. PWD_EXPIRE_IN_NUM_DAYS Days – Change Your Password As Soon As Possible!" fullPath="D:\TEMP\ADPwdExpNotifyMessageBody_US.html" />
<htmlBodyFile language="NL" mailSubject="Verlopen Wachtwoord In Ongeveer PWD_EXPIRE_IN_NUM_DAYS Dagen – Wijzig Uw Wachtwoord Zo Snel Als Mogelijk!" fullPath="D:\TEMP\ADPwdExpNotifyMessageBody_NL.html" />
</htmlBodyFiles>
–
If you have a web portal (e.g. FIM SSPR or Exchange Change Password) to change and/or reset the password, then you can specify it here
<!– The URL Where The Users Can Change Or Reset Their Password –>
<pwdChangeOrResetURL>https://ssprportal.iamtec.net:447/</pwdChangeOrResetURL>
–
Logging to screen can be enabled (ON) or disabled (OFF).
<!– Enable/Disable Logging To Screen: ON or OFF –>
<logToScreen>ON</logToScreen>
–
Logging tofile can be enabled (ON) or disabled (OFF).
<!– Enable/Disable Logging To A Log File: ON or OFF –>
<logToFile>ON</logToFile>
–
If logging is enabled, then you must specify the full path to the log file that will be used. The script itself will take date and time into account
<!– Full Path Of The Log File (.LOG Extension!) –>
<fullPathToLogFile>D:\TEMP\ADPwdExpNotify.log</fullPathToLogFile>
–
To make sure the disk is not swamped with a huge number of log files, you can specify for how many days the script will keep log files. Every log file older than the specified number will be deleted
<!– Number Of Days To Keep LOG Files –>
<numDaysLOGToKeep>30</numDaysLOGToKeep>
–
When enabled (ON), the script will export the information of users to a CSV file for troubleshooting and analyses. When disabled (OFF) nothing is exported.
<!– Enable/Disable Export Of Notified Accounts To A CSV File: ON or OFF –>
<exportToCSV>ON</exportToCSV>
–
If exporting is enabled, then you must specify the full path to the CSV file that will be used. The script itself will take date and time into account
<!– Full Path Of The CSV File (.CSV Extension!) –>
<fullPathToCSVFile>D:\TEMP\ADPwdExpNotify.csv</fullPathToCSVFile>
–
To make sure the disk is not swamped with a huge number of CSV files, you can specify for how many days the script will keep CSV files. Every CSV file older than the specified number will be deleted
<!– Number Of Days To Keep CSV Files –>
<numDaysCSVToKeep>30</numDaysCSVToKeep>
–
In the XML config file you can specify the date/time format to be used on screen, in the log, in the CSV and in the E-mail message
<!– Date And Time Format To Use On Screen, In Logs And In E-mail Message –>
<formatDateTime>yyyy-MM-dd HH:mm:ss</formatDateTime>
–
In this section you specify every AD domain in the AD forest, including trusting AD domains, for which its scoped/targeted users must be notified. For every AD domain, you then need to specify if an RWDC needs to be discovered (specifiy: DISCOVER) or you can specifically mention an RWDC that must be targeted. A test connection to the RWDC is made. If it fails the AD domain for that RWDC is fully skipped! Then for every AD domain, specify one or more search bases to scope/target users in the LDAP query. For every search base configure the language for the scoped/targeted users. Make sure that if you specify specific languages, that you also have configured the HTML Body File for that language
<!– Targeted Domains, Specify DISCOVER To Discover A DC Or Use Specific DC And Search Bases Per Domain –>
<!– WARNING: Make Sure The Search Bases DO NOT Overlap Each Other!!! –>
<domains>
<domain FQDN="IAMTEC.NET" DC="DISCOVER">
<searchBase nr="1" language="default">OU=Users,OU=EMPLOYEES,OU=Org-Users,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="2" language="US">OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="3" language="US">OU=Users,OU=CONTRACTORZZZ,OU=Org-Users,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="4" language="NL">OU=Users,OU=HISTORY1,OU=Org-Users,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="5" language="NL">OU=Users,OU=HISTORY2,OU=Org-Users,DC=IAMTEC,DC=NET</searchBase>
</domain>
<domain FQDN="CHILD.IAMTEC.NET" DC="C1FSRWDC1.CHILD.IAMTEC.NET">
<searchBase nr="1" language="default">OU=Users,OU=EMPLOYEES,OU=Org-Users,DC=CHILD,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="2" language="US">OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=CHILD,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="3" language="US">OU=Users,OU=CONTRACTORZZZ,OU=Org-Users,DC=CHILD,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="4" language="NL">OU=Users,OU=HISTORY1,OU=Org-Users,DC=CHILD,DC=IAMTEC,DC=NET</searchBase>
<searchBase nr="5" language="NL">OU=Users,OU=HISTORY2,OU=Org-Users,DC=CHILD,DC=IAMTEC,DC=NET</searchBase>
</domain>
</domains>
–
In this section you can specify one or multiple periods of notifications. Make sure that none of the periods overlaps any other period!. In the example shown, the scoped/targeted user will receive 4 notifications assuming the script executes once every day. Also make sure the periods configured are in balance with the maximum password age!
<!– Number Of Days Before The Password Expires To Send Notifications –>
<!– WARNING: Make Sure The Periods DO NOT Overlap Each Other!!! –>
<daysBeforeWarn>
<period nr="1" Max="10" Min="9" />
<period nr="2" Max="5" Min="4" />
<period nr="3" Max="2" Min="0" />
</daysBeforeWarn>
–
Figure 1a: XML Configuration File
–
Figure 1b: XML Configuration File
–
Executing The Script
Executing the script to run in "DEV", "TEST" or "PROD" mode (whatever is configured in the XML configuration file) while using the default location of the XML configuration file (same folder as script)
.\AD-Pwd-Exp-Notify_v018.ps1 -force
–
Executing the script to run in "TEST (NO MAILINGS)" mode while using the default location of the XML configuration file (same folder as script)
.\AD-Pwd-Exp-Notify_v018.ps1
–
Executing the script to run in "TEST (NO MAILINGS)" mode while using a custom location of the XML configuration file
.\AD-Pwd-Exp-Notify_v018.ps1 -xmlconfigfilepath D:\TEMP\AD-Pwd-Exp-Notify.xml
–
Executing the script to run in "DEV", "TEST" or "PROD" mode (whatever is configured in the XML configuration file) while using custom location of the XML configuration file
.\AD-Pwd-Exp-Notify_v018.ps1 -xmlconfigfilepath D:\TEMP\AD-Pwd-Exp-Notify.xml -force
–
Example Output Of The Script (On Screen)
Figure 2a: Output To Screen
–
Figure 2b: Output To Screen
–
Figure 2c: Output To Screen
–
Figure 2d: Output To Screen
–
Figure 2e: Output To Screen
–
Example Output Of The Script (Log File)
See zip file
–
Example Output Of The Script (CSV file)
See zip file
–
E-mail Message For US English Language
Figure 3a: E-Mail Notification In English
–
Figure 3b: E-Mail Notification In English
–
E-mail Message For Dutch Language
Figure 4a: E-Mail Notification In Dutch
–
Figure 4b: E-Mail Notification In Dutch
–
And Finally….The PowerShell Script Itself
Version of version: v0.18
Date of script: 2015-10-13
–
### Abstract: This PoSH Script Notifies Mailbox Enabled Users For Which The Password Will Expires Within A Specific Number Of Days
### Written by: Jorge de Almeida Pinto [MVP-DS]
### BLOG: https://jorgequestforknowledge.wordpress.com/
###
### 2015-03-21: Initial version of the script in PowerShell (v0.13)
### 2015-03-26: Bug fixes regarding some attributes not having values (v0.14)
### 2015-03-27: Supporting date/time format in XML and incorrect variable being used to get the correct password policy settings (v0.15)
### 2015-04-29: Bug fixes regarding the default domain GPO getting no name when no PSOs are used or inheriting the name of the last processed PSO,
### the displayName of the development user not being processed correctly, and more enhanced error detection when discovering a DC for
### non-existing AD domain, and better explanation and information about the parameters and the script itself (v0.16)
### 2015-09-22: Bug fixes regarding specifying the script version and date after the parameter section (v0.17)
### 2015-10-13: Resolved a bug with regards to paging when searching (v0.18)
###
<#
.SYNOPSIS
This PoSH Script Notifies Mailbox Enabled Users For Which The Password Will Expires Within A Specific Number Of Days
.DESCRIPTION
This PoSH script notifies mailbox enabled users for which the password will expires within a specific number of days. The configuration of the
script is done through an XML file. The tool uses an XML called "AD-Pwd-Exp-Notify.xml". It is pre-filled with examples from my test/demo
environment. Make sure to change as needed to accommodate your own environment and requirements!
For detailed information about all configurable options see the sample XML file or browse to:
https://jorgequestforknowledge.wordpress.com/2015/03/24/notifying-users-by-e-mail-their-password-is-going-to-expire-update-1/
.PARAMETER force
Runs the script in whatever mode is configured in the XML file (e.g. "DEV", "TEST" or "PROD" mode)
.PARAMETER xmlconfigfilepath
Allows to use a custom location and custom XML file instead of the default XML file in the default location (same folder as the script)
.EXAMPLE
Executing the script to run in "TEST (NO MAILINGS)" mode while using the default location of the XML configuration file (same folder as script)
AD-Pwd-Exp-Notify_vXXX.ps1
.EXAMPLE
Executing the script to run in "DEV", "TEST" or "PROD" mode (whatever is configured in the XML configuration file) while using the default
location of the XML configuration file (same folder as script)
AD-Pwd-Exp-Notify_vXXX.ps1 -force
.EXAMPLE
Executing the script to run in "TEST (NO MAILINGS)" mode while using a custom location of the XML configuration file
AD-Pwd-Exp-Notify_vXXX.ps1 -xmlconfigfilepath D:\TEMP\AD-Pwd-Exp-Notify.xml
.EXAMPLE
Executing the script to run in "DEV", "TEST" or "PROD" mode (whatever is configured in the XML configuration file) while using custom location
of the XML configuration file
AD-Pwd-Exp-Notify_vXXX.ps1 -xmlconfigfilepath D:\TEMP\AD-Pwd-Exp-Notify.xml -force
.NOTES
-->> DISCLAIMER <<--
* I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
* The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
* This script is furnished "AS IS". No warranty is expressed or implied!
* I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
* Always test first in lab environment to see if it meets your needs!
* Use this script at your own risk!
* I do not warrant this script to be fit for any purpose, use or environment!
* I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
* I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
* I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
* If you do not accept these terms do not use the script in any way and delete it immediately!
-->> REMARKS <<--
* The script requires PowerShell v2.0 at a minimum
* This script must be able to read the contents of the PSO container in every AD domain the script will target!. By default only Domain Admins can read this.
* It is therefore needed to delegate those permissions to the account executing this PoSH script.
* For more information about this see the blog post: https://jorgequestforknowledge.wordpress.com/2007/08/09/windows-server-2008-fine-grained-password-policies/
* DSACLS "\\<Some RWDC>\CN=Password Settings Container,CN=System,<Your AD domain DN>" /G "<Some Security Principal>:GR" /I:T
>> This assigns <Some Security Principal> with Allow:Read on the Password Settings Container including its descendant objects
#>
Param(
[Parameter(Mandatory=$false)]
[string]$xmlconfigfilepath,
[Parameter(Mandatory=$false)]
[switch]$force
)
$scriptVersion = "v0.18"
$scriptDate = "2015-10-13"
##################################################################################################
#################################### SCRIPT FUNCTIONS START ######################################
##################################################################################################
##################################################################################################
### FUNCTION: Logging Data To The Log File
Function Logging($dataToLog) {
$datetimeLogLine = "[" + $(Get-Date -format $formatDateTime) + "] : "
If ($logToFile.ToUpper() -eq "ON") {
Out-File -filepath "$fullPathToLogFile" -append -inputObject "$datetimeLogLine$dataToLog"
}
If ($logToScreen.ToUpper() -eq "ON") {
Write-Output($datetimeLogLine + $dataToLog)
}
}
##################################################################################################
### FUNCTION: Cleaning Up Old Log Files
Function CleanUpLOGFiles($numDaysLOGToKeep) {
$regExPatternLogFile = '^.*_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}.log$'
$oldLogFiles = Get-ChildItem -Path $folderLogFile\*.log | ?{$_.Name -match $regExPatternLogFile}
$oldLogFilesToDelete = $oldLogFiles | ?{$_.lastwritetime -lt (Get-Date $execStartDateTime).addDays(-$numDaysLOGToKeep) -and -not $_.psiscontainer}
$oldLogFilesToDelete | %{Remove-Item $_.FullName -force}
Return ($oldLogFilesToDelete | Measure-Object).Count
}
##################################################################################################
### FUNCTION: Cleaning Up Old Csv Files
Function CleanUpCSVFiles($numDaysCSVToKeep) {
$regExPatternCsvFile = '^.*_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}.csv$'
$oldCsvFiles = Get-ChildItem -Path $folderCsvFile\*.csv | ?{$_.Name -match $regExPatternCsvFile}
$oldCsvFilesToDelete = $oldCsvFiles | ?{$_.lastwritetime -lt (Get-Date $execStartDateTime).addDays(-$numDaysCSVToKeep) -and -not $_.psiscontainer}
$oldCsvFilesToDelete | %{Remove-Item $_.FullName -force}
Return ($oldCsvFilesToDelete | Measure-Object).Count
}
##################################################################################################
### FUNCTION: Discover An RWDC From An AD Domain
Function DiscoverRWDC($fqdnADdomain) {
$contextADDomain = $NULL
$contextADDomain = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$fqdnADdomain)
$dnsHostNameRWDC = $NULL
$ErrorActionPreference = "SilentlyContinue"
$dnsHostNameRWDC = ([System.DirectoryServices.ActiveDirectory.DomainController]::findone($contextADDomain)).Name
$ErrorActionPreference = "Continue"
If ($dnsHostNameRWDC -eq $null) {
Return "DOMAIN_DOES_NOT_EXIST_OR_CANNOT_FIND_DC"
} Else {
Return $dnsHostNameRWDC
}
}
##################################################################################################
### FUNCTION: Check If An OU/Container Exists
Function CheckDNExistence($dnsHostNameRWDC,$DN) {
Try {
If([ADSI]::Exists("LDAP://$dnsHostNameRWDC/$DN")) {
Return "SUCCESS"
} Else {
Return "ERROR"
}
` } Catch {
Return "ERROR"
}
}
##################################################################################################
### FUNCTION: Test Connection To A Server
Function TestConnectionToServer($dnsHostName,$port) {
$tcpPortSocket = New-Object System.Net.Sockets.TcpClient
$timeOut = "500"
$portConnect = $tcpPortSocket.BeginConnect($dnsHostName,$port,$null,$null)
$tcpPortWait = $portConnect.AsyncWaitHandle.WaitOne($timeOut,$false)
If(!$tcpPortWait) {
$tcpPortSocket.Close()
Return "ERROR"
} Else {
$ErrorActionPreference = "SilentlyContinue"
$tcpPortSocket.EndConnect($portConnect) | Out-Null
If (!$?) {
Return "ERROR"
} Else {
Return "SUCCESS"
}
$tcpPortSocket.Close()
$ErrorActionPreference = "Continue"
}
}
##################################################################################################
### FUNCTION: Decode Functional Level
Function DecodeFunctionalLevel($dfl) {
Switch ($dfl) {
0 {"Windows 2000"}
1 {"Windows 2003 Interim"}
2 {"Windows 2003"}
3 {"Windows 2008"}
4 {"Windows 2008 R2"}
5 {"Windows 2012"}
6 {"Windows 2012 R2"}
#7 {"TBD"}
#8 {"TBD"}
#9 {"TBD"}
#10 {"TBD"}
Default {"If You See This, Something Is Wrong!"}
}
}
##################################################################################################
##################################### SCRIPT FUNCTIONS END #######################################
##################################################################################################
### Clear The Screen
Clear-Host
### Configure The Appropriate Screen And Buffer Size To Make Sure Everything Fits Nicely
$uiConfig = (Get-Host).UI.RawUI
$uiConfig.WindowTitle = "+++ AD PASSWORD EXPIRY NOTIFICATION +++"
$uiConfig.ForegroundColor = "Yellow"
$uiConfigBufferSize = $uiConfig.BufferSize
$uiConfigBufferSize.Width = 500
$uiConfigBufferSize.Height = 9999
$uiConfigScreenSizeMax = $uiConfig.MaxPhysicalWindowSize
$uiConfigScreenSizeMaxWidth = $uiConfigScreenSizeMax.Width
$uiConfigScreenSizeMaxHeight = $uiConfigScreenSizeMax.Height
$uiConfigScreenSize = $uiConfig.WindowSize
If ($uiConfigScreenSizeMaxWidth -lt 160) {
$uiConfigScreenSize.Width = $uiConfigScreenSizeMaxWidth
} Else {
$uiConfigScreenSize.Width = 160
}
If ($uiConfigScreenSizeMaxHeight -lt 75) {
$uiConfigScreenSize.Height = $uiConfigScreenSizeMaxHeight - 5
} Else {
$uiConfigScreenSize.Height = 75
}
$uiConfig.BufferSize = $uiConfigBufferSize
$uiConfig.WindowSize = $uiConfigScreenSize
### Script Configuration File
If ($xmlconfigfilepath -eq $null -or $xmlconfigfilepath -eq "") {
$currentScriptFolderPath = Split-Path $MyInvocation.MyCommand.Definition
[string]$scriptXMLConfigFilePath = Join-Path $currentScriptFolderPath "AD-Pwd-Exp-Notify.xml"
} Else {
[string]$scriptXMLConfigFilePath = $xmlconfigfilepath
}
### Start Time Of Script In UTC
$execStartDateTime = (Get-Date -format $formatDateTime)
$execStartDateTimeForFileSystem = (Get-Date $execStartDateTime -format "yyyy-MM-dd_HH-mm-ss")
### Read The Config File
If (!(Test-Path $scriptXMLConfigFilePath)) {
Write-Host "The XML Config File '$scriptXMLConfigFilePath' CANNOT Be Found!..." -ForeGroundColor Red
Write-Host "Aborting Script..." -ForeGroundColor Red
EXIT
} Else {
[XML]$global:configADPwdExpNotify = Get-Content $scriptXMLConfigFilePath
#Write-Host "The XML Config File '$scriptXMLConfigFilePath' Has Been Found!..." -ForeGroundColor Green
#Write-Host "Continuing Script..." -ForeGroundColor Green
#Write-Host ""
}
### Read The Properties From The XML Config File
$executionMode = $configADPwdExpNotify.ADPwdExpNotifyConfig.executionMode
$mailFromSender = $configADPwdExpNotify.ADPwdExpNotifyConfig.mailFromSender
$toSMTPAddressInTestMode = $configADPwdExpNotify.ADPwdExpNotifyConfig.toSMTPAddressInTestMode
$smtpServer = $configADPwdExpNotify.ADPwdExpNotifyConfig.smtpServer
$mailPriority = $configADPwdExpNotify.ADPwdExpNotifyConfig.mailPriority
$mailSubject = $configADPwdExpNotify.ADPwdExpNotifyConfig.mailSubject
$htmlBodyFiles = $configADPwdExpNotify.ADPwdExpNotifyConfig.htmlBodyFiles.htmlBodyFile
$pwdChangeOrResetURL = $configADPwdExpNotify.ADPwdExpNotifyConfig.pwdChangeOrResetURL
$logToScreen = $configADPwdExpNotify.ADPwdExpNotifyConfig.logToScreen
$logToFile = $configADPwdExpNotify.ADPwdExpNotifyConfig.logToFile
$fullPathToLogFile = $configADPwdExpNotify.ADPwdExpNotifyConfig.fullPathToLogFile -replace ".log","_$execStartDateTimeForFileSystem.log"
$folderLogFile = Split-Path $fullPathToLogFile
$numDaysLOGToKeep = $configADPwdExpNotify.ADPwdExpNotifyConfig.numDaysLOGToKeep
$exportToCSV = $configADPwdExpNotify.ADPwdExpNotifyConfig.exportToCSV
$fullPathToCSVFile = $configADPwdExpNotify.ADPwdExpNotifyConfig.fullPathToCSVFile -replace ".csv","_$execStartDateTimeForFileSystem.csv"
$folderCsvFile = Split-Path $fullPathToCSVFile
$numDaysCSVToKeep = $configADPwdExpNotify.ADPwdExpNotifyConfig.numDaysCSVToKeep
$formatDateTime = $configADPwdExpNotify.ADPwdExpNotifyConfig.formatDateTime
$domains = $configADPwdExpNotify.ADPwdExpNotifyConfig.domains.domain
$daysBeforeWarn = $configADPwdExpNotify.ADPwdExpNotifyConfig.daysBeforeWarn.Period
Logging "#######################################################################################"
Logging " *********************************************************"
Logging " * *"
Logging " * --> ACTIVE DIRECTORY PASSWORD EXPIRY NOTIFICATION <-- *"
Logging " * *"
Logging " * ($scriptVersion) ($scriptDate) *"
Logging " * *"
Logging " * Written By: Jorge de Almeida Pinto [MVP-DS] *"
Logging " * *"
Logging " * BLOG: 'Jorge's Quest For Knowledge' *"
Logging " * (https://jorgequestforknowledge.wordpress.com/) *"
Logging " * *"
Logging " *********************************************************"
Logging ""
Logging "Starting Date And Time...........: $execStartDateTime"
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Logging All Configured Settings
Logging ""
Logging "XML Config File Path.............: $scriptXMLConfigFilePath"
Logging ""
If (!$force) {
$executionMode = "TEST (NO MAILINGS)"
}
Logging "Execution Mode...................: $executionMode"
Logging ""
Logging "Log To Screen....................: $logToScreen"
Logging ""
Logging "Log To File......................: $logToFile"
Logging ""
Logging "Log File Full Path...............: $fullPathToLogFile"
Logging ""
Logging "Log Files Folder.................: $folderLogFile"
Logging ""
Logging "Number Of Days Of Logs To Keep...: $numDaysLOGToKeep"
Logging ""
Logging "Export List Of User To CSV.......: $exportToCSV"
Logging ""
Logging "CSV File Full Path...............: $fullPathToCSVFile"
Logging ""
Logging "CSV Files Folder.................: $folderCsvFile"
Logging ""
Logging "Number Of Days Of CSVs To Keep...: $numDaysCSVToKeep"
Logging ""
$smtpServerStatus = $NULL
$smtpServerStatus = TestConnectionToServer $smtpServer "25"
Logging "SMTP Server......................: $smtpServer (Status: $smtpServerStatus)"
Logging ""
If ($smtpServerStatus.ToUpper() -eq "ERROR") {
EXIT
}
Logging "Sender Address...................: $mailFromSender"
Logging ""
If ($executionMode.ToUpper() -eq "TEST (NO MAILINGS)") {
Logging "Recipient Address................: None"
}
If ($executionMode.ToUpper() -eq "DEV" -Or $executionMode.ToUpper() -eq "TEST") {
Logging "Recipient Address................: $toSMTPAddressInTestMode"
}
If ($executionMode.ToUpper() -eq "PROD") {
Logging "Recipient Address................: Individual Users"
}
Logging ""
Logging "Message Priority.................: $mailPriority"
$htmlBodyFiles | %{
$language = $_.language
$mailSubject = $_.mailSubject
$fullPath = $_.fullPath
Logging ""
Logging "Message Subject..................: ($language) $mailSubject"
Logging ""
Logging "HTML Body File...................: ($language) $fullPath"
}
Logging ""
Logging "Change/Reset PWD URL.............: $pwdChangeOrResetURL"
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Cleaning Up Old Log and Csv Files
Logging ""
Logging "Cleaning Up Old Log Files. Keeping Log Files From Last $numDaysLOGToKeep Days..."
$oldLogFilesToDeleteCount = CleanUpLOGFiles $numDaysLOGToKeep
Logging " --> Number Of Old Log Files Deleted...: $oldLogFilesToDeleteCount"
Logging ""
Logging "Cleaning Up Old Csv Files. Keeping Csv Files From Last $numDaysCSVToKeep Days..."
$oldCsvFilesToDeleteCount = CleanUpCSVFiles $numDaysCSVToKeep
Logging " --> Number Of Csv Log Files Deleted...: $oldCsvFilesToDeleteCount"
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Creating An Empty Array For All Queried Users (Not Necessarily The Same List Of Users That Will Be Notified!)
$listOfQueriedUsers = @()
### Processing Each Configured AD Domain In The XML Config File
Logging ""
Logging "Processing Configured AD Domains..."
### Go Through Every Configured AD Domain
$domains | %{
### The FQDN Of The AD Domain From The XML Config File
$fqdnADdomain = $_.FQDN
Logging ""
Logging "** AD Domain: $fqdnADdomain **"
### The FQDN Of The DC From The XML Config File
$fqdnDC = $_.DC
### If DISCOVER Was Specified Instead Of A Specific (Static) DC, Then Discover The Nearest RWDC And Use That One
If ($fqdnDC.ToUpper() -eq "DISCOVER") {
$fqdnDC = DiscoverRWDC $fqdnADdomain
### Check If The RWDC Is Available
If ($fqdnDC -eq "DOMAIN_DOES_NOT_EXIST_OR_CANNOT_FIND_DC") {
$dcStatus = "ERROR"
Logging ""
Logging " --> FQDN DC: $fqdnDC (Discovered) (Status: $dcStatus)"
} Else {
$dcStatus = $NULL
$dcStatus = TestConnectionToServer $fqdnDC "389"
Logging ""
Logging " --> FQDN DC: $fqdnDC (Discovered) (Status: $dcStatus)"
}
} Else {
### Check If The RWDC Is Available
$dcStatus = $NULL
$dcStatus = TestConnectionToServer $fqdnDC "389"
Logging ""
Logging " --> FQDN DC: $fqdnDC (Static) (Status: $dcStatus)"
}
### If There Is Something Wrong With The RWDC, Then Abort Processing For This AD Domain And Send Mail About It
If ($dcStatus -eq "ERROR" -And $fqdnDC -ne "DOMAIN_DOES_NOT_EXIST_OR_CANNOT_FIND_DC") {
Logging " --> SKIPPED DUE TO ERROR - UNABLE TO CONTACT DC!"
Logging ""
Send-MailMessage -SmtpServer $smtpServer -From $mailFromSender -To $toSMTPAddressInTestMode -Priority High -Subject "Error With DC From AD Domain!" -Body "There Are Connectivity Issues With The DC '$fqdnDC' From The AD Domain '$fqdnADdomain'!" -BodyAsHtml
}
If ($dcStatus -eq "ERROR" -And $fqdnDC -eq "DOMAIN_DOES_NOT_EXIST_OR_CANNOT_FIND_DC") {
Logging " --> SKIPPED DUE TO ERROR - DOMAIN DOES NOT EXIST OR CANNOT FIND DC!"
Logging ""
Send-MailMessage -SmtpServer $smtpServer -From $mailFromSender -To $toSMTPAddressInTestMode -Priority High -Subject "Error With DC From AD Domain!" -Body "The AD Domain '$fqdnADdomain' Does Not Exist Or Unable To Discover A DC For The AD Domain '$fqdnADdomain'!" -BodyAsHtml
}
### If The AD Domain Does Exist And The DC Can Be Discovered And It Can Be Contacted
If ($dcStatus -eq "SUCCESS") {
### Connect To The RootDSE Of The RWDC And Get Info From It
$RootDSE = [ADSI]"LDAP://$fqdnDC/RootDSE"
$dfl = $RootDSE.domainFunctionality
$defaultNC = $RootDSE.defaultNamingContext
Logging ""
Logging " --> DFL: $dfl ($(DecodeFunctionalLevel $dfl))"
Logging ""
Logging " --> Default NC: $defaultNC"
### PWD Policies From The AD Domain
### If Domain Functional Level Is At Least 3 (Windows 2008) Or Higher Then Check For Any Configured Password Settings Object (PSO) And Get The Settings For Each PSO
If ($dfl -ge 3) {
Logging ""
Logging " --> PSOs In AD Domain"
### PSO Container (REMEMBER: The Account Running This Script Must Have Allow:Read Permissions On The PSO Container Itself And Sub Objects
$psoContainerDN = "CN=Password Settings Container,CN=System,$defaultNC"
### Setup The LDAP Query To Get All PSOs And Execute The Query
$searchRoot = $NULL
$searchRoot = [ADSI]"LDAP://$fqdnDC/$psoContainerDN"
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot)
$searcher.Filter = "(objectClass=msDS-PasswordSettings)"
$searcher.SearchScope = "Subtree"
$searcher.PageSize = 1000
$propertyList = "distinguishedName","name","msDS-MaximumPasswordAge","msDS-MinimumPasswordAge","msDS-MinimumPasswordLength","msDS-PasswordComplexityEnabled","msDS-PasswordHistoryLength"
ForEach ($property in $propertyList){
$searcher.PropertiesToLoad.Add($property) | Out-Null
}
$results = $NULL
$results = $searcher.FindAll()
### For Every Discovered PSO Get Its Properties (REMEMBER: The Account Running This Script Must Have Allow:Read Permissions On The PSO Container Itself And Sub Objects
If ($results -ne $null) {
$pwdPolicyInDomain = @()
$results | %{
$pwdPolicyPSOInDomainObj = "" | Select DN,name,MaxPwdAge,MinPwdAge,MinPwdLength,PwdComplexity,PwdHistoryLength
$pwdPolicyPSOInDomainObj.DN = $_.Properties.distinguishedname[0]
$psoName = $_.Properties.name[0]
$pwdPolicyPSOInDomainObj.name = $($psoName + " (" + $fqdnADdomain + ")")
Logging ""
Logging " --> Name............: $psoName"
$psoMaxPwdAge = [System.TimeSpan]::FromTicks([System.Math]::ABS($_.Properties."msds-maximumpasswordage"[0])).Days
$pwdPolicyPSOInDomainObj.MaxPwdAge = $psoMaxPwdAge
Logging " --> Max Pwd Age.....: $psoMaxPwdAge"
$psoMinPwdAge = [System.TimeSpan]::FromTicks([System.Math]::ABS($_.Properties."msds-minimumpasswordage"[0])).Days
$pwdPolicyPSOInDomainObj.MinPwdAge = $psoMinPwdAge
Logging " --> Min Pwd Age.....: $psoMinPwdAge"
$psoMinPwdLength = $_.Properties."msds-minimumpasswordlength"[0]
$pwdPolicyPSOInDomainObj.MinPwdLength = $psoMinPwdLength
Logging " --> Min Pwd Length..: $psoMinPwdLength"
If ($_.Properties."msds-passwordcomplexityenabled"[0]) {
$pwdPolicyPSOInDomainObj.PwdComplexity = "TRUE"
Logging " --> Pwd Complexity..: TRUE"
} Else {
$pwdPolicyPSOInDomainObj.PwdComplexity = "FALSE"
Logging " --> Pwd Complexity..: FALSE"
}
$psoPwdHistoryLength = $_.Properties."msds-passwordhistorylength"[0]
$pwdPolicyPSOInDomainObj.PwdHistoryLength = $psoPwdHistoryLength
Logging " --> Pwd Complexity..: $psoPwdHistoryLength"
$pwdPolicyInDomain += $pwdPolicyPSOInDomainObj
}
}
$searcher = $NULL
$results = $NULL
}
### Get The Password Policy Settings From The Default Domain GPO Which Are Also Registered On The AD Domain NC Head
Logging ""
Logging " --> Default Domain GPO Password Settings"
### Setup The LDAP Query To Get The Password Policy Settings From The Default Domain GPO And Execute The Query
$searchRoot = $NULL
$searchRoot = [ADSI]"LDAP://$fqdnDC/$defaultNC"
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot)
$searcher.SearchScope = "Base"
$propertyList = "maxPwdAge","minPwdAge","minPwdLength","pwdProperties","pwdHistoryLength"
ForEach ($property in $propertyList){
$searcher.PropertiesToLoad.Add($property) | Out-Null
}
$results = $NULL
$results = $searcher.FindOne()
### Get The Properties And Process Them
$results | %{
$pwdPolicyGPOInDomainObj = "" | Select DN,name,MaxPwdAge,MinPwdAge,MinPwdLength,PwdComplexity,PwdHistoryLength
$pwdPolicyGPOInDomainObj.DN = $defaultNC[0]
$gpoName = "DefaultDomainGPO (" + $fqdnADdomain + ")"
$pwdPolicyGPOInDomainObj.name = $gpoName
Logging ""
Logging " --> Name............: $gpoName"
$gpoMaxPwdAge = [System.TimeSpan]::FromTicks([System.Math]::ABS($_.Properties.maxpwdage[0])).Days
$pwdPolicyGPOInDomainObj.MaxPwdAge = $gpoMaxPwdAge
Logging " --> Max Pwd Age.....: $gpoMaxPwdAge"
$gpoMinPwdAge = [System.TimeSpan]::FromTicks([System.Math]::ABS($_.Properties.minpwdage[0])).Days
$pwdPolicyGPOInDomainObj.MinPwdAge = $gpoMinPwdAge
Logging " --> Min Pwd Age.....: $gpoMinPwdAge"
$psoMinPwdLength = $_.Properties.minpwdlength[0]
$pwdPolicyGPOInDomainObj.MinPwdLength = $psoMinPwdLength
Logging " --> Min Pwd Length..: $psoMinPwdLength"
If (($results.Properties.pwdproperties[0] -band 0x1) -Eq 1) {
$pwdPolicyGPOInDomainObj.PwdComplexity = "TRUE"
Logging " --> Pwd Complexity..: TRUE"
} Else {
$pwdPolicyGPOInDomainObj.PwdComplexity = "FALSE"
Logging " --> Pwd Complexity..: FALSE"
}
$gpoPwdHistoryLength = $_.Properties.pwdhistorylength[0]
$pwdPolicyGPOInDomainObj.PwdHistoryLength = $gpoPwdHistoryLength
Logging " --> Pwd Complexity..: $gpoPwdHistoryLength"
$pwdPolicyInDomain += $pwdPolicyGPOInDomainObj
}
$searcher = $NULL
$results = $NULL
Logging ""
Logging " --> Search Bases In AD Domain"
### Processing Each Configured Search Base Within An AD Domain In The XML Config File
$searchBases = $_.searchBase
$searchBases | %{
$searchBase = $_."#text"
$languageForUser = $_.language
$mailSubjectForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).mailSubject
$htmlBodyFileForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).fullPath
Logging ""
### Let's Make Sure The Configured Search Base Does Exist
$searchBaseStatus = $NULL
$searchBaseStatus = CheckDNExistence $fqdnDC $searchBase
Logging " --> Search Base..........: $searchBase (Status: $searchBaseStatus)"
### If The Search Base Does Exist Then Continue
If ($searchBaseStatus -eq "SUCCESS") {
### Setup The LDAP Query To Get The User Objects And Execute The Query
$searchRoot = $NULL
$searchRoot = [ADSI]"LDAP://$fqdnDC/$searchBase"
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot)
$searcher.Filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=65536))(mail=*)(!(pwdLastSet=0)))"
$searcher.SearchScope = "Subtree"
$searcher.PageSize = 1000
$propertyList = "distinguishedName","givenName","sn","displayName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed","accountExpires","msDS-ResultantPSO"
ForEach ($property in $propertyList){
$searcher.PropertiesToLoad.Add($property) | Out-Null
}
$results = $NULL
$results = $searcher.FindAll()
$userCountInSearchBase = ($results | Measure-Object).Count
Logging " --> Queried User Count...: $userCountInSearchBase"
Logging " --> Specified Language...: $languageForUser"
### Get The Properties And Process Them
$results | %{
$listOfQueriedUsersObj = "" | Select "FQDN AD Domain",DN,"Given Name","Last Name","Display Name","E-Mail Address","PWD Last Set","PWD Expire Date","Days Until PWD Expiry","Account Expiry Date","Days Until Account Expiry","Effective PWD Policy","Language","Mail Subject","HTML Body File"
$listOfQueriedUsersObj."FQDN AD Domain" = $fqdnADdomain
$listOfQueriedUsersObj.DN = $_.Properties.distinguishedname[0]
If ($_.Properties.givenname -ne $null) {
$listOfQueriedUsersObj."Given Name" = $_.Properties.givenname[0]
} Else {
$listOfQueriedUsersObj."Given Name" = $null
}
If ($_.Properties.sn -ne $null) {
$listOfQueriedUsersObj."Last Name" = $_.Properties.sn[0]
} Else {
$listOfQueriedUsersObj."Last Name" = $null
}
If ($_.Properties.displayname -ne $null) {
$listOfQueriedUsersObj."Display Name" = $_.Properties.displayname[0]
} Else {
$listOfQueriedUsersObj."Display Name" = $null
}
$listOfQueriedUsersObj."E-Mail Address" = $_.Properties.mail[0]
$adUserPwdLastSet = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($_.Properties.pwdlastset[0]))) -Format $formatDateTime
$listOfQueriedUsersObj."PWD Last Set" = $adUserPwdLastSet
$adUserPwdExpires = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($_.Properties."msds-userpasswordexpirytimecomputed"[0]))) -Format $formatDateTime
$listOfQueriedUsersObj."PWD Expire Date" = $adUserPwdExpires
$timeDiffPwdExpiryInDays = (New-TimeSpan -Start $execStartDateTime -end $adUserPwdExpires).TotalDays
$listOfQueriedUsersObj."Days Until PWD Expiry" = $timeDiffPwdExpiryInDays
$adUserAccountExpires = $_.Properties.accountexpires[0]
### If An Account Is Configured With Never Expires, Then Assign An Insane End Date To Be Able To Perform Calculations
If ($adUserAccountExpires -eq 9223372036854775807 -Or $adUserAccountExpires -eq 0) {
$adUserAccountExpires = Get-Date "9999-12-31 23:59:59" -format $formatDateTime
} Else {
$adUserAccountExpires = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($adUserAccountExpires))) -Format $formatDateTime
}
$listOfQueriedUsersObj."Account Expiry Date" = $adUserAccountExpires
$timeDiffAccountExpiryInDays = (New-TimeSpan -Start $execStartDateTime -end $adUserAccountExpires).TotalDays
$listOfQueriedUsersObj."Days Until Account Expiry" = $timeDiffAccountExpiryInDays
If ($_.Properties."msds-resultantpso" -ne $null) {
$effectivePWDPolicyDN = $_.Properties."msds-resultantpso"[0]
} Else {
$effectivePWDPolicyDN = $defaultNC
}
$effectivePWDPolicyName = ($pwdPolicyInDomain | ?{$_.DN -eq $effectivePWDPolicyDN}).name
$listOfQueriedUsersObj."Effective PWD Policy" = $effectivePWDPolicyName
$listOfQueriedUsersObj."Language" = $languageForUser
$listOfQueriedUsersObj."Mail Subject" = $mailSubjectForUser
$listOfQueriedUsersObj."HTML Body File" = $htmlBodyFileForUser
$listOfQueriedUsers += $listOfQueriedUsersObj
}
$searcher = $NULL
$results = $NULL
} Else {
### If The Search Base Does NOT Exist Then Skip That Search Base And Send Mail About It
Logging " --> SKIPPED DUE TO ERROR!"
Send-MailMessage -SmtpServer $smtpServer -From $mailFromSender -To $toSMTPAddressInTestMode -Priority High -Subject "Error With Defined SearchBase!" -Body "The Search Base '$searchBase' Does Not Exist!" -BodyAsHtml
}
}
}
}
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Now Having The List Of Queried Users, Determine Which Of Those Users Require E-mail Notification Based Upon The Configured Warning Periods
Logging ""
Logging "Processing Warning Periods..."
### From The List Of Queried Users, Get Those Users For Which The AD User Account Has Not Expired Yet
$listOfUsersWithNonExpiredAccounts = $listOfQueriedUsers | ?{$_."Days Until Account Expiry" -gt 0}
### Creating An Empty Array For Users That Will Be Notified!
$listOfUsersWithExpiringPWDToNotify = @()
### Process Every Configured Warning Period. Make Sure In The XML NOT To Have Overlapping Periods!
$daysBeforeWarn | %{
$max = $_.max
$min = $_.min
Logging ""
Logging "** Period: Max: $max Days | Min: $min Days **"
$listOfUsersWithinWarningPeriod = $listOfUsersWithNonExpiredAccounts | ?{$_."Days Until PWD Expiry" -lt $max -And $_."Days Until PWD Expiry" -gt $min}
$userCountInWarningPeriod = ($listOfUsersWithinWarningPeriod | Measure-Object).Count
Logging " --> User Count Within Warning Period...: $userCountInWarningPeriod"
$listOfUsersWithExpiringPWDToNotify += $listOfUsersWithinWarningPeriod
}
### If If Was Configured To Export The List Of Users That Will Be Notified, Than Do So!
If ($exportToCSV.ToUpper() -eq "ON") {
$listOfUsersWithExpiringPWDToNotify | Export-Csv -Path $fullPathToCSVFile -NoTypeInformation
}
#Logging ""
#Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Show On Screen The List Of Queried Users Including Some Details
#Logging ""
#Logging "List Of Queried Users..."
#$listOfUsersWithNonExpiredAccounts | FT "FQDN AD Domain",DN,"Given Name","Last Name","Display Name","E-Mail Address","PWD Last Set","PWD Expire Date","Days Until PWD Expiry","Account Expiry Date","Days Until Account Expiry","Effective PWD Policy","Language","Mail Subject","HTML Body File" -Autosize
#$listOfUsersWithNonExpiredAccounts | FT "FQDN AD Domain","Display Name","E-Mail Address","PWD Expire Date","Days Until PWD Expiry","Effective PWD Policy","Language" -Autosize
#$userCountQueried = ($listOfUsersWithNonExpiredAccounts | Measure-Object).Count
#Logging "--> User Count To Be Queried....: $userCountQueried"
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
### Show On Screen The List Of Users That Will Be Notified, Including Some Details
Logging ""
Logging "List Of Notified Users..."
#$listOfUsersWithExpiringPWDToNotify | FT "FQDN AD Domain",DN,"Given Name","Last Name","Display Name","E-Mail Address","PWD Last Set","PWD Expire Date","Days Until PWD Expiry","Account Expiry Date","Days Until Account Expiry","Effective PWD Policy","Language","Mail Subject","HTML Body File" -Autosize
$listOfUsersWithExpiringPWDToNotify | FT "FQDN AD Domain","Display Name","E-Mail Address","PWD Expire Date","Days Until PWD Expiry","Effective PWD Policy","Language" -Autosize
$userCountNotified = ($listOfUsersWithExpiringPWDToNotify | Measure-Object).Count
Logging "--> User Count To Be Notified...: $userCountNotified"
### If The FORCE Parameter Was NOT Specified With TRUE Then DO NOT Send Any E-Mail
If ($executionMode.ToUpper() -eq "TEST (NO MAILINGS)") {
Logging ""
Logging " --> No Notifications Have Been Send!"
} Else {
### When Running In DEV Mode Execute This Part
If ($executionMode.ToUpper() -eq "DEV") {
Logging ""
Logging "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
Logging ""
Logging "Displaying Information Of The Development User..."
### Get The Current AD Domain
$ThisADDomain = [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$fqdnThisADDomain = $ThisADDomain.Name
### Discover An RWDC For That Current AD Domain
$fqdnDC = DiscoverRWDC $fqdnThisADDomain
### Setup The LDAP Query To Get The Information Of The User And Execute The Query
$RootDSE = [ADSI]"LDAP://$fqdnDC/RootDSE"
$defaultNC = $RootDSE.defaultNamingContext
$searchRoot = $NULL
$searchRoot = [ADSI]"LDAP://$fqdnDC/$defaultNC"
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot)
$searcher.Filter = "(&(objectCategory=person)(objectClass=user)(|(proxyAddresses=smtp:$toSMTPAddressInTestMode)(proxyAddresses=SMTP:$toSMTPAddressInTestMode)))"
$searcher.SearchScope = "Subtree"
$searcher.PageSize = 1000
$propertyList = "distinguishedName","givenName","sn","displayName","pwdLastSet","msDS-UserPasswordExpiryTimeComputed","msDS-ResultantPSO"
ForEach ($property in $propertyList){
$searcher.PropertiesToLoad.Add($property) | Out-Null
}
$results = $NULL
$results = $searcher.FindOne()
### Get The Properties Of The User
If ($results.Properties.givenname -ne $null) {
$adUserGivenName = $results.Properties.givenname[0]
} Else {
$adUserGivenName = "NO-VALUE"
}
If ($results.Properties.sn -ne $null) {
$adUserSn = $results.Properties.sn[0]
} Else {
$adUserSn = "NO-VALUE"
}
If ($results.Properties.displayname -ne $null) {
$adUserDisplayName = $results.Properties.displayname[0]
} Else {
$adUserDisplayName = "NO-VALUE"
}
$adUserPwdLastSet = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($results.Properties.pwdlastset[0]))) -Format $formatDateTime
$adUserPwdExpires = $results.Properties."msds-userpasswordexpirytimecomputed"[0]
### If A Password Is Configured With Never Expires, Then Assign An Insane End Date To Be Able To Perform Calculations
If ($adUserPwdExpires -eq 9223372036854775807 -Or $adUserAccountExpires -eq 0) {
$adUserPwdExpires = Get-Date "9999-12-31 23:59:59" -format $formatDateTime
} Else {
$adUserPwdExpires = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($adUserPwdExpires))) -Format $formatDateTime
}
$timeDiffPwdExpiryInDays = (New-TimeSpan -Start $execStartDateTime -end $adUserPwdExpires).TotalDays
If ($results.Properties."msds-resultantpso" -ne $null) {
$effectivePWDPolicyDN = $results.Properties."msds-resultantpso"[0]
} Else {
$effectivePWDPolicyDN = $defaultNC
}
$effectivePWDPolicyOnUser = $pwdPolicyInDomain | ?{$_.DN -eq $effectivePWDPolicyDN}
### Get The Settings Of The Effective PWD Policy On The User
$policyPWDName = $effectivePWDPolicyOnUser.Name
$policyPWDMinLength = $effectivePWDPolicyOnUser.MinPwdLength
$policyPWDMinAge = $effectivePWDPolicyOnUser.MinPwdAge
$policyPWDMaxAge = $effectivePWDPolicyOnUser.MaxPwdAge
$policyPWDHistory = $effectivePWDPolicyOnUser.PwdHistoryLength
$policyPWDComplexity = $effectivePWDPolicyOnUser.PwdComplexity
### Get The Content Of The HTML File That Will Be Used For The E-Mails
$languageForUser = "default"
$mailSubjectForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).mailSubject
$htmlBodyFileForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).fullPath
$mailBodyForUser = Get-Content $htmlBodyFileForUser
Logging ""
Logging "Display Name................: $adUserDisplayName"
Logging "First Name..................: $adUserGivenName"
Logging "Last Name...................: $adUserSn"
Logging "PWD Last Set................: $adUserPwdLastSet"
Logging "PWD Expiry Date.............: $adUserPwdExpires"
Logging "Days Until PWD Expiry Date..: $timeDiffPwdExpiryInDays ($([math]::Round($timeDiffPwdExpiryInDays)))"
Logging "Effective PWD Policy Name...: $policyPWDName"
Logging "Effective PWD Min Length....: $policyPWDMinLength"
Logging "Effective PWD Min Age.......: $policyPWDMinAge"
Logging "Effective PWD Max Age.......: $policyPWDMaxAge"
Logging "Effective PWD History.......: $policyPWDHistory"
Logging "Effective PWD Complexity....: $policyPWDComplexity"
Logging "Language....................: $languageForUser"
Logging "Mail Subject................: $mailSubjectForUser"
Logging "HTML Body File..............: $htmlBodyFileForUser"
### Replace Any Variables In The SUBJECT With The Actual Values
$mailSubject = $mailSubjectForUser -replace "FIRST_NAME",$adUserGivenName
$mailSubject = $mailSubject -replace "LAST_NAME",$adUserSn
$mailSubject = $mailSubject -replace "DISPLAY_NAME",$adUserDisplayName
$mailSubject = $mailSubject -replace "FQDN_DOMAIN",$fqdnThisADDomain
$mailSubject = $mailSubject -replace "PWD_EXPIRY_DATE",$adUserPwdExpires
$mailSubject = $mailSubject -replace "PWD_EXPIRE_IN_NUM_DAYS",[math]::Round($timeDiffPwdExpiryInDays)
$mailSubject = $mailSubject -replace "PWD_MIN_LENGTH",$policyPWDMinLength
$mailSubject = $mailSubject -replace "PWD_MIN_AGE",$policyPWDMinAge
$mailSubject = $mailSubject -replace "PWD_MAX_AGE",$policyPWDMaxAge
$mailSubject = $mailSubject -replace "PWD_HISTORY",$policyPWDHistory
$mailSubject = $mailSubject -replace "PWD_COMPLEX",$policyPWDComplexity
$mailSubject = $mailSubject -replace "PWD_CHANGE_RESET_URL",$pwdChangeOrResetURL
### Replace Any Variables In The BODY With The Actual Values
$mailBody = $mailBodyForUser -replace "FIRST_NAME",$adUserGivenName
$mailBody = $mailBody -replace "LAST_NAME",$adUserSn
$mailBody = $mailBody -replace "DISPLAY_NAME",$adUserDisplayName
$mailBody = $mailBody -replace "FQDN_DOMAIN",$fqdnThisADDomain
$mailBody = $mailBody -replace "PWD_EXPIRY_DATE",$adUserPwdExpires
$mailBody = $mailBody -replace "PWD_EXPIRE_IN_NUM_DAYS",[math]::Round($timeDiffPwdExpiryInDays)
$mailBody = $mailBody -replace "PWD_MIN_LENGTH",$policyPWDMinLength
$mailBody = $mailBody -replace "PWD_MIN_AGE",$policyPWDMinAge
$mailBody = $mailBody -replace "PWD_MAX_AGE",$policyPWDMaxAge
$mailBody = $mailBody -replace "PWD_HISTORY",$policyPWDHistory
$mailBody = $mailBody -replace "PWD_COMPLEX",$policyPWDComplexity
$mailBody = $mailBody -replace "PWD_CHANGE_RESET_URL",$pwdChangeOrResetURL
### Send A Notification E-Mail About The Expiring Password
Send-MailMessage -SmtpServer $smtpServer -From $mailFromSender -To $toSMTPAddressInTestMode -Priority $mailPriority -Subject $mailSubject -Body $($mailBody | Out-String) -BodyAsHtml
Logging ""
Logging " --> Notifying '$adUserDisplayName' by sending an e-mail to '$toSMTPAddressInTestMode'"
} Else {
### When Running In TEST Or PROD Mode Execute This Part
### Process Any User With Expiring Password And Send E-Mail Notification About The Expiring Password
$listOfUsersWithExpiringPWDToNotify | %{
### If The FORCE Parameter Was Specified With TRUE Then Send E-Mail Based On The Configured Execution Mode
If ($executionMode.ToUpper() -eq "TEST") {
### For All Users Send E-Mail Notifications To The Configured Admin Mail Address
$mailToRecipient = $toSMTPAddressInTestMode
}
If ($executionMode.ToUpper() -eq "PROD") {
### For All Users Send E-Mail Notifications To The E-Mail Address Of Each User
$mailToRecipient = $_."E-Mail Address"
}
### Get The Display Name Of The User
$displayNameUser = $_."Display Name"
### Get The Effective PWD Policy On The User
$effectivePWDPolicyNameOnUser = $_."Effective PWD Policy"
$effectivePWDPolicyOnUser = $pwdPolicyInDomain | ?{$_.Name -eq $effectivePWDPolicyNameOnUser}
### Get The Settings Of The Effective PWD Policy On The User
$policyPWDMinLength = $effectivePWDPolicyOnUser.MinPwdLength
$policyPWDMinAge = $effectivePWDPolicyOnUser.MinPwdAge
$policyPWDMaxAge = $effectivePWDPolicyOnUser.MaxPwdAge
$policyPWDHistory = $effectivePWDPolicyOnUser.PwdHistoryLength
$policyPWDComplexity = $effectivePWDPolicyOnUser.PwdComplexity
### Get The Content Of The HTML File That Will Be Used For The E-Mails
$languageForUser = $_.Language
$mailSubjectForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).mailSubject
$htmlBodyFileForUser = ($htmlBodyFiles | ?{$_.language -eq $languageForUser}).fullPath
$mailBodyForUser = Get-Content $htmlBodyFileForUser
### Replace Any Variables In The SUBJECT With The Actual Values
$mailSubject = $mailSubjectForUser -replace "FIRST_NAME",$_."Given Name"
$mailSubject = $mailSubject -replace "LAST_NAME",$_."Last Name"
$mailSubject = $mailSubject -replace "DISPLAY_NAME",$_."Display Name"
$mailSubject = $mailSubject -replace "FQDN_DOMAIN",$_."FQDN AD Domain"
$mailSubject = $mailSubject -replace "PWD_EXPIRY_DATE",$_."PWD Expire Date"
$mailSubject = $mailSubject -replace "PWD_EXPIRE_IN_NUM_DAYS",[math]::Round($_."Days Until PWD Expiry")
$mailSubject = $mailSubject -replace "PWD_MIN_LENGTH",$policyPWDMinLength
$mailSubject = $mailSubject -replace "PWD_MIN_AGE",$policyPWDMinAge
$mailSubject = $mailSubject -replace "PWD_MAX_AGE",$policyPWDMaxAge
$mailSubject = $mailSubject -replace "PWD_HISTORY",$policyPWDHistory
$mailSubject = $mailSubject -replace "PWD_COMPLEX",$policyPWDComplexity
$mailSubject = $mailSubject -replace "PWD_CHANGE_RESET_URL",$pwdChangeOrResetURL
### Replace Any Variables In The BODY With The Actual Values
$mailBody = $mailBodyForUser -replace "FIRST_NAME",$_."Given Name"
$mailBody = $mailBody -replace "LAST_NAME",$_."Last Name"
$mailBody = $mailBody -replace "DISPLAY_NAME",$_."Display Name"
$mailBody = $mailBody -replace "FQDN_DOMAIN",$_."FQDN AD Domain"
$mailBody = $mailBody -replace "PWD_EXPIRY_DATE",$_."PWD Expire Date"
$mailBody = $mailBody -replace "PWD_EXPIRE_IN_NUM_DAYS",[math]::Round($_."Days Until PWD Expiry")
$mailBody = $mailBody -replace "PWD_MIN_LENGTH",$policyPWDMinLength
$mailBody = $mailBody -replace "PWD_MIN_AGE",$policyPWDMinAge
$mailBody = $mailBody -replace "PWD_MAX_AGE",$policyPWDMaxAge
$mailBody = $mailBody -replace "PWD_HISTORY",$policyPWDHistory
$mailBody = $mailBody -replace "PWD_COMPLEX",$policyPWDComplexity
$mailBody = $mailBody -replace "PWD_CHANGE_RESET_URL",$pwdChangeOrResetURL
### Send A Notification E-Mail About The Expiring Password
Send-MailMessage -SmtpServer $smtpServer -From $mailFromSender -To $mailToRecipient -Priority $mailPriority -Subject $mailSubject -Body $($mailBody | Out-String) -BodyAsHtml
Logging ""
Logging " --> Notifying '$displayNameUser' by sending an e-mail to '$mailToRecipient'"
}
}
}
Logging ""
Logging "#######################################################################################"
–
You can download the most recent PowerShell version from HERE.
–
I HAVE NOT TESTED EVERY POSSIBLE SCENARIO! Please provide feedback through the comments section OR you the contact page
–
DISCLAIMER (READ THIS!):
- I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
- The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
- This script is furnished "AS IS". No warranty is expressed or implied!
- I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
- Always test first in lab environment to see if it meets your needs!
- Use this script at your own risk!
- I do not warrant this script to be fit for any purpose, use or environment!
- I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
- I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
- I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
- If you do not accept these terms do not use the script in any way and delete it immediately!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
