It can be helpful to proactively notify users when their passwords are about to expire; this can help reduce influx of helpdesk tickets at expiration time. There are a variety paid of software solutions that can be used to solve this problem, but this script offers a convenience and free alternative.
Clone this repository to the server where you want this script to run:
git clone https://github.com/griffeth-barker/ADPasswordExpiryReminder.git
In the Begin block of the script, there is a maintenance block of variables that can be customized. It looks like this:
## MAINTENANCE BLOCK ####################################
# Update these variables to fit your organization's needs
$orgSearchBase = "OU=TopLevel,CN=domain,CN=tld"
$orgName = "Company Name"
$orgSmtpServer = "smtp.domain.tld"
$orgHelpdeskEmail = "helpdesk@domain.tld"
$orgHelpdeskPhone = "+1 (555) 123-4567"
$logDir = "D:\Tasks\ADPasswordExpiryReminder\log"
## END MAINTENANCE BLOCK ###############################These variables can be updated based on desired customization. There is also an HTML body section in the script that can be customized. Otherwise, the rest of the script should not require modification unless you have drastically different needs.
This script is intended to run via Windows Task Scheduler; create a schedule task in Windows Task Scheduler to run the script at the desired interval.
This automation can be monitored by monitoring platforms (e.g. Zabbix) via the included statusCode file. The contents is expected to be 0, while an exception will produce a 1.
The script can be scheduled multiple times in different scheduled tasks in Windows Task Scheduler with the -TimeSpan parameter specified differently to provide users with notifications at intervals (e.g. 30 days out, 7 days out, etc.)
Here is a brief explanation of what the script does:
- Parameter definition for
-TimeSpanwhich is how we determine how far out from a password expiration we want to send a reminder - Begin
- Maintenance block for customizable variables
- Declare log directory and log file
- Start transcript to record actions during script run
- Check for the ActiveDirectory PowerShell module and throw an exception and exit if it is not able to be imported
- Declare the
Get-ADPasswordExpiryUserfunction for use later
- Process
- Get all the users whose password is expiring within the
-TimeSpanpassed to the script - Loop through the users and for each of them:
- Calculate the number of days until password expiration
- Send email notification to the user
- Get all the users whose password is expiring within the
- End
- Check log directory for logs generated by this script that are older than 7 days and clean them up
- Stop the transcript
Please ⭐star this repository if it is helpful. Constructive feedback is always welcome, as are pull requests. Feel free to open an issue on the repository if needed or send me a message on Signal.