Here's one for you Group Policy Administrators out there. We have a good number of remote users in our organization, and the helpdesk is contantly getting calls about expired passwords. Basically, because they log into their laptops first, then VPN, they never get the prompts warning them their password will expire. So, I created a simple powershell script that runs on a server at noon every day.
I'm not a powershell guru, so there might be better ways to write this, but this is what I came up with. Basically it searches an OU that you can choose and it finds all accounts where the password will expire in the next 14 days. It will send them an email every day at noon until they change it. The script has a few variables that you will need to put in your own information, like $smtpserver, $to, $from, and -searchroot. Also, make sure the folders are created before you try to run it.
Just copy the text below into a txt file and rename it with a ps1 extension (and take word wrap off...it's easier to read). Then set up a scheduled task that calls the script. Have fun! If you have better ways to do this I'd love to learn!
$today = (get-date)
$days_before_expire = 14
new-item -path c:\scripts\passwordexpiredemails\expiredpasswords.txt -type file
$users_to_be_notified = get-qaduser -searchroot 'enter your domain/ou path here' -Enabled -passwordneverexpires:$False | where {($_.passwordexpires -lt $today.adddays($days_before_expire))}
foreach ($user in $users_to_be_notified) {
$days_remaining = ($user.passwordexpires - $today).days
$resetby = $user.PasswordExpires.date.tostring('MM/dd/yyyy')
$to = $user.email
$from = '<sender's email address>'
$smptserver = EmailServerFQDN
$subject = "Reminder - Password is expiring in $days_remaining day(s)."
$body = "<html>
<head></head>
<body>
Your password will expire in $days_remaining days(s). Please change it by $resetby.<BR><BR>
To reset your password, press CTRL-ALT-DEL and choose 'Change Password'<BR><BR>
If you have a MobileDevice, please be sure to change your password on the device as well. You can find instructions for changing it on your device here: 'Path To Document in UNC format'<BR><BR>
If you have any issues, please submit a ticket at 'URL of Ticket System if applicable'<BR><BR>
Thank You!<BR>
Help Desk
</body>
</html>"
if ($days_remaining -le 0) {
add-content -path 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -value $user
}
if ($days_remaining -gt 0) {
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -smtpserver $smtpserver
}
}
$to = '<AccountManagementGroupEmailAddress>'
$subject = "The following accounts have expired passwords"
$body = "Please see the attached file for the accounts with expired passwords."
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -attachment 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -smtpserver $smtpserver
remove-item c:\scripts\passwordexpiredemails\expiredpasswords.txt
No comments:
Post a Comment