PowerShell scripts to notify Active Directory domain users on account expiration

The account expiration notification PowerShell script sends email reminders to Active Directory (AD) users about their expiring user accounts. ADSelfService Plus, a password and account expiration notification solution, also supports sending account expiration notification to AD users. Here is a comparison of sending AD account expiration notification using PowerShell and ADSelfService Plus.

PowerShell

ADSelfService Plus

Enter and run the following PowerShell script for account expiration notification for domain users whose accounts will be expiring in 31 days: Copy $users = Search-ADAccount -UsersOnly -AccountExpiring -TimeSpan 31:0:0:0.0 ForEach($user in $users) { $userobj = $user | Get-ADUser -Properties EmailAddress,AccountExpirationDate $options = @{ 'To' = $userobj.EmailAddress 'From' = 'administrator@domain.org' 'Subject' = "Account is Expiring on $($userobj.AccountExpirationDate)" 'SMTPServer' = 'svr.domain.local' 'Body' = "Account is Expiring on $($userobj.AccountExpirationDate)" } Send-MailMessage @options }

Open the ADSelfService Plus admin portal. Go to Configuration > Password Expiration Notification In the Password/Account Expiration Notification section that opens, click on Add New Notifcation. Use the Select Domain option to specify the domain whose users should receive the notifications. Provide a Scheduler Name. Set the Notification Type to Account Expiration Notification. Use the Notify via option to specify the notification medium (mail, SMS, or push notification) Select the Notification Frequency (Daily, Weekly or On Specific Days) and use the Schedule Time option to specify the date and time of the notification delivery. Edit the Subject and the Message of the notification, if required. Click on the Advanced option and in the pop-up window that opens, use the options for excluding disabled users or smart card users from receiving expiration notifications, and sending notification delivery status messages to users' managers or anyone with an admin account if necessary. Click Save.

Notifying AD users on account expiration using PowerShell

Step 1: Retrieve users with expiring accounts

Find users whose accounts will expire in the next 30 days using the command below. This fetches accounts expiring within 30 days.

Step 2: Create the notification email

Define the subject and body of the email. Replace admin@yourdomain.com with your actual sender email.

Step 3: Send notifications to expiring users

Send an email to each user whose account is expiring. Replace smtp.yourdomain.com with your SMTP server.

Step 4: Automate the notification with a scheduled task

Follow the steps below to run the script automatically. This ensures daily notifications for expiring accounts.

• Save the script as AccountExpiryNotification.ps1.
• Open Task Scheduler and create a new task.
• Set the trigger to run daily.
• In the Actions tab, set:
  Copy powershell.exe -ExecutionPolicy Bypass -File "C:\Scripts\AccountExpiryNotification.ps1"

FAQs

1. How do I find users with expiring accounts?

You can find users with expiring accounts using the PowerShell script below. This will list users whose accounts expire in the next 30 days.

2. How can I send email notifications for expiring accounts?

You can send email notifications for expiring accounts using the PowerShell script below.

3. How can I automate the expiry notification process?

Create a script and schedule it using Task Scheduler to run daily.

Limitations of using PowerShell for AD account expiration notifications

While PowerShell scripts provide flexibility, they come with several drawbacks when used for account expiration notifications:

• High dependency on scripting skills: Administrators must be proficient in PowerShell to write, test, and debug scripts. A single error can break the notification process.
• Limited notification channels: By default, PowerShell supports only email notifications. Adding SMS or push notifications requires complex custom scripting and integration with third-party APIs.
• Lack of advanced customization: Customizing messages, creating HTML templates, or scheduling multiple notifications requires significant manual coding effort.
• No built-in reporting or auditing: PowerShell doesn't provide out-of-the-box reports on who received notifications or whether delivery was successful. Tracking requires additional logging and script modifications.
• Scalability issues: Managing and maintaining scripts for large organizations with multiple domains and thousands of users becomes difficult and error-prone.

Advantages to notifying users of AD account expiration

With ADSelfService Plus, you are just a few clicks away from configuring Active Directory account expiration notifications for users. If you're using PowerShell, you need to create, debug, and run scripts. Using ADSelfService Plus, without writing a single script, you can:

• Notify users via mail, SMS and push notification

  Choose between sending email, SMS, and push account expiration notifications with just a click. PowerShell can also be used to send SMS and push notifications, but requires compiling an extensive and complex script.

• Notify users' managers

  Send the notification delivery status automatically to the users' managers and the organization's administrators via email. You can also choose to exclude disabled users and smart card users from receiving the notifications.

• Customizable and powerful email notifications

  Draft account expiration notifications in HTML to grab the attention of users, or send different messages on different days leading up to account expiration. PowerShell does allow sending HTML-formatted emails, but the process can be quite lengthy.

• GUI based configuration

  Edit a configured account expiration notification simply by selecting it and changing the values of the settings as required. With PowerShell, while making changes to the notification script, typos and other human errors are bound to occur.