Home
PowerShell
Password Expiration Notification

Password expiration PowerShell script to notify Active Directory domain users

Many organizations have policies that force users to change their passwords periodically. If a user doesn't change the password before the expiration date, they will be forced to set a new password when they log in for the first time after its expiration.

While password deadlines are a minor inconvenience for users who are within the corporate network, remote users who ignore them will be locked out. This is because sensitive tasks like password resets need to be performed only from within the corporate network hosting Active Directory (AD). For remote users, contacting the help desk to reset the password does not help since the device must be located physically within the corporate intranet.

Native AD tools do not offer the functionality to notify users of password expiration deadlines. Luckily, admins can use PowerShell scripts to notify users of password expiration for AD and email them to change their passwords a few days in advance.

ManageEngine ADSelfService Plus, an identity security solution, also supports sending password expiration notifications to AD users. The PowerShell password expiration notification script provided below sends email reminders to Active Directory users about their expiring passwords.

Here's how to send password expiry emails to AD users using PowerShell vs. using ADSelfService Plus.

PowerShell ManageEngine ADSelfService Plus

PowerShell	ManageEngine ADSelfService Plus
Use the following PowerShell script to check user password expiration dates and send an expiry notification email seven days in advance: #Import AD Module Import-Module ActiveDirectory #Create warning dates for future password expiration $SevenDayWarnDate = (get-date).adddays(7).ToLongDateString() #Email Variables $MailSender = " Password AutoBot <emailaddress@somecompany.com>" $Subject = 'FYI - Your account password will expire soon' $EmailStub1 = 'I am a bot and performed this action automatically. I am here to inform you that the password for' $EmailStub2 = 'will expire in' $EmailStub3 = 'days on' $EmailStub4 = '. Please contact the help desk if you need assistance changing your password. DO NOT REPLY TO THIS EMAIL.' $SMTPServer = 'smtp.somecompany.com' #Find accounts that are enabled and have expiring passwords $users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0 } ` -Properties "Name", "EmailAddress", "msDS-UserPasswordExpiryTimeComputed" \| Select-Object -Property "Name", "EmailAddress", ` @{Name = "PasswordExpiry"; Expression = {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed").tolongdatestring() }} #check password expiration date and send email on match foreach ($user in $users) { if ($user.PasswordExpiry -eq $SevenDayWarnDate) { $days = 7 $EmailBody = $EmailStub1, $user.name, $EmailStub2, $days, $EmailStub3, $SevenDayWarnDate, $EmailStub4 -join ' ' Send-MailMessage -To $user.EmailAddress -From $MailSender -SmtpServer $SMTPServer -Subject $Subject -Body $EmailBody } else {} }	Open the ADSelfService Plus admin portal. Go to Configuration > Password Expiration Notification. In the Password/Account Expiration Notification section that opens, click Add New Notification. Use the Select Domain option to specify the domain whose users should receive the notifications. Provide a Scheduler Name. Set the Notification Type to Password Expiration Notification. Use the Notify via option to specify the notification medium (mail, SMS, or push notification). Select the Notification Frequency (Daily, Weekly, or On Specific Days) and use the Schedule Time option to specify the date and time of the notification delivery. For example, if you want to notify users seven days before the password expiration, select the On Specific Days option and click Schedule Time and specify 7 in the field provided. Edit the Subject and the Message of the notification, if required. Click Advanced, and in the pop-up window that opens, use the options for excluding disabled users or smart card users from receiving expiration notifications and sending notification delivery status messages to users' managers or anyone with an admin account if necessary. Click Save.

Use the following PowerShell script to check user password expiration dates and send an expiry notification email seven days in advance:

                                                              #Import AD Module                         Import-Module ActiveDirectory                                                  #Create warning dates for future password expiration                         $SevenDayWarnDate = (get-date).adddays(7).ToLongDateString()                          #Email Variables                         $MailSender = " Password AutoBot <emailaddress@somecompany.com>"                         $Subject = 'FYI - Your account password will expire soon'                         $EmailStub1 = 'I am a bot and performed this action automatically. I am here to inform you that the password for'                         $EmailStub2 = 'will expire in'                         $EmailStub3 = 'days on'                         $EmailStub4 = '. Please contact the help desk if you need assistance changing your password. DO NOT REPLY TO THIS EMAIL.'                         $SMTPServer = 'smtp.somecompany.com'                                                  #Find accounts that are enabled and have expiring passwords                         $users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0 } `                         -Properties "Name", "EmailAddress", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Name", "EmailAddress", `                         @{Name = "PasswordExpiry"; Expression = {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed").tolongdatestring() }}                                                  #check password expiration date and send email on match                         foreach ($user in $users) {                             if ($user.PasswordExpiry -eq $SevenDayWarnDate) {                                 $days = 7                                 $EmailBody = $EmailStub1, $user.name, $EmailStub2, $days, $EmailStub3, $SevenDayWarnDate, $EmailStub4 -join ' '                                                          Send-MailMessage -To $user.EmailAddress -From $MailSender -SmtpServer $SMTPServer -Subject $Subject -Body $EmailBody                             }                             else {}                         }

Open the ADSelfService Plus admin portal.
Go to Configuration > Password Expiration Notification. In the Password/Account Expiration Notification section that opens, click Add New Notification.
Use the Select Domain option to specify the domain whose users should receive the notifications. Provide a Scheduler Name.
Set the Notification Type to Password Expiration Notification. Use the Notify via option to specify the notification medium (mail, SMS, or push notification).
Select the Notification Frequency (Daily, Weekly, or On Specific Days) and use the Schedule Time option to specify the date and time of the notification delivery. For example, if you want to notify users seven days before the password expiration, select the On Specific Days option and click Schedule Time and specify 7 in the field provided.
Edit the Subject and the Message of the notification, if required.
Click Advanced, and in the pop-up window that opens, use the options for excluding disabled users or smart card users from receiving expiration notifications and sending notification delivery status messages to users' managers or anyone with an admin account if necessary.
Click Save.

The limitations of PowerShell-based password expiry notifications

Many admins rely on a password expiration notification process that's built using PowerShell scripts. A password expiry email notification PowerShell script can send reminders before a user’s password expires, but it requires constant maintenance and troubleshooting. Even well-known scripts like password-expiration-notifications.ps1 can fail after security updates or PowerShell script changes.

While a PowerShell password expiration notification email can automate alerts, it offers little visibility into whether messages were delivered or acted upon. Missed or failed password expiry notifications can lead to account lockouts, frustrated users, increased help desk tickets, and even compliance gaps.

A smarter alternative: ADSelfService Plus

Instead of maintaining a password expiration notification PowerShell script, ADSelfService Plus provides a built-in, code-free password expiry notification feature. Here is why you should choose ADSelfService Plus as your password expiry notifier tool:

Quick configuration: With ADSelfService Plus, you’re just a few clicks away from setting up a password expiry notification for domain users. In contrast, creating a password expiration notification PowerShell script requires manual coding, debugging, and scheduling, making the process more time-consuming.
Alert users via email, SMS, and push notifications: ADSelfService Plus lets you send password expiry notifications through email, SMS, and push notifications instantly from its console. Most PowerShell scripts can send email password expiration alerts, but sending SMS or push notifications maybe complicated or unfeasible.
Notify users’ managers: With ADSelfService Plus, you can also automatically send delivery status updates to managers and administrators. This is difficult to achieve with a standard PowerShell script to notify users of password expiration without significant customization.
GUI-based configuration: Once a password expiration notification is configured in ADSelfService Plus, you can edit it anytime through a simple GUI by selecting the notification and updating the settings. In comparison, modifying a password expiry notification PowerShell script risks introducing typos or error, causing failure in the notification system.
Customizable and powerful email notifications: ADSelfService Plus lets you create HTML-based password expiry notification emails with rich formatting to grab users’ attention. You can even send different messages on different days leading up to expiration. While a PowerShell password expiration notification email can also be HTML-formatted, the process is far more tedious.

Highlights of ADSelfService Plus:

Password self-service: Unburden users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication: Enable context-based multi-factor authentication (MFA) with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on: Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications including Microsoft 365 using their Windows AD credentials.
Password synchronization: Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365.
Custom password policy enforcer: Prevent users from setting weak and breached passwords for their accounts through an advanced password policy that bans dictionary words, keyboard sequences, and compromised passwords through its integration with Have I Been Pwned?
Password and account expiry notifications: Notify users of their impending password and account expiry via email and SMS notification.

Skip the PowerShell scripts. Deliver streamlined, automated password expiration notifications with ADSelfService Plus.

Try it now for free

Here's how to send password expiry emails to AD users using PowerShell vs. using ADSelfService Plus.
The limitations of PowerShell-based password expiry notifications
A smarter alternative: ADSelfService Plus
Highlights of ADSelfService Plus

Password expiration PowerShell script to notify Active Directory domain users

Here's how to send password expiry emails to AD users using PowerShell vs. using ADSelfService Plus.

The limitations of PowerShell-based password expiry notifications

A smarter alternative: ADSelfService Plus

Highlights of ADSelfService Plus:

Skip the PowerShell scripts. Deliver streamlined, automated password expiration notifications with ADSelfService Plus.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management

Related features:

Related Powershell Guides:

Password expiration PowerShell script to notify Active Directory domain users

Here's how to send password expiry emails to AD users using PowerShell vs. using ADSelfService Plus.

The limitations of PowerShell-based password expiry notifications

A smarter alternative: ADSelfService Plus

Highlights of ADSelfService Plus:

Skip the PowerShell scripts. Deliver streamlined, automated password expiration notifications with ADSelfService Plus.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management