PowerShell scripts to notify Active Directory domain users about password expiration
Many organizations have policies that force users to change their passwords periodically. If the password is not changed before the expiration date, users will be forced to set a new password when they log in for the first time after its expiration.
While a minor inconvenience for users who are within the corporate network, remote users will be locked out. This is because sensitive tasks like password resets need to be performed only from within the corporate network hosting Active Directory (AD). Contacting IT to reset the password does not help, as the device needs to be located physically within the corporate intranet for it to be recognized.
Admins can use PowerShell scripts to get password expiration dates for AD users and email them to change their passwords a few days in advance. As native Active Directory graphical interface tools do not offer this functionality, PowerShell scripts have to be used to send password expiry emails.
ManageEngine ADSelfService Plus, an identity security solution, also supports sending password expiration notifications to AD users.
The PowerShell password expiration notification script provided here sends email reminders to Active Directory users about their expiring passwords.
Below is a comparison between using PowerShell scripts to send password expiry emails vs. using ADSelfService Plus.
PowerShell
#Import AD Module
Import-Module ActiveDirectory
#Create warning dates for future password expiration
$SevenDayWarnDate = (get-date).adddays(7).ToLongDateString()
#Email Variables
$MailSender = " Password AutoBot <emailaddress@somecompany.com>"
$Subject = 'FYI - Your account password will expire soon'
$EmailStub1 = 'I am a bot and performed this action automatically. I am here to inform you that the password for'
$EmailStub2 = 'will expire in'
$EmailStub3 = 'days on'
$EmailStub4 = '. Please contact the help desk if you need assistance changing your password. DO NOT REPLY TO THIS EMAIL.'
$SMTPServer = 'smtp.somecompany.com'
#Find accounts that are enabled and have expiring passwords
$users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0 } `
-Properties "Name", "EmailAddress", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Name", "EmailAddress", `
@{Name = "PasswordExpiry"; Expression = {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed").tolongdatestring() }}
#check password expiration date and send email on match
foreach ($user in $users) {
if ($user.PasswordExpiry -eq $SevenDayWarnDate) {
$days = 7
$EmailBody = $EmailStub1, $user.name, $EmailStub2, $days, $EmailStub3, $SevenDayWarnDate, $EmailStub4 -join ' '
Send-MailMessage -To $user.EmailAddress -From $MailSender -SmtpServer $SMTPServer -Subject $Subject -Body $EmailBody
}
else {}
}
ADSelfService Plus
- Open the ADSelfService Plus admin portal.
- Go to Configuration > Password Expiration Notification. In the Password/Account Expiration Notification section that opens, click on Add New Notification.
- Use the Select Domain option to specify the domain whose users should receive the notifications. Provide a Scheduler Name.
- Set the Notification Type to Password Expiration Notification. Use the Notify via option to specify the notification medium (mail, SMS, or push notification).
- Select the Notification Frequency (Daily, Weekly or On Specific Days) and use the Schedule Time option to specify the date and time of the notification delivery. For example, if you want to notify users seven days before the password expiration, select the On Specific Days option and click on Schedule Time and specify '7' in the field provided.
- Edit the Subject and the Message of the notification, if required.
- Click on the Advanced option and in the pop-up window that opens, use the options for excluding disabled users or smart card users from receiving expiration notifications, and sending notification delivery status messages to users' managers or anyone with an admin account if necessary.
- Click Save.
- Quick configuration:
With ADSelfService Plus you are just a few clicks away from configuring password expiration reminders for domain users. PowerShell scripts require creating, debugging, and running.
- Notify users via mail, SMS and push notification:
With ADSelfService Plus, you can choose between sending mail, SMS, and push notifications with just a click. In the example above, PowerShell is used to provide email notifications for password expirations. PowerShell can also be used to send SMS and push notifications, but this requires creating an extremely complicated script.
- Notify users' managers:
In ADSelfService Plus, you can choose to exclude disabled users and smart card users from receiving notifications. Notification delivery status emails can also be sent to the users' managers and the organization's administrators.
- GUI-based configuration:
Once a password expiration notification has been configured in ADSelfService Plus, it can be edited simply by selecting the notification to be edited and changing the values of the settings as required. With PowerShell, while making changes to the notification script, typos and other human errors are bound to occur.
- Customizable and powerful email notifications:
Draft email notifications in HTML to grab the attention of users or send different messages on different days leading up to password expiration. PowerShell allows sending HTML formatted emails, but the process can be quite lengthy.
Notify Active Directory users about password expiration.
Get 30-day free trial.
