Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

Microsoft Exchange / Active Directory Powershell script to notify users of expiring Passwords

Published: 08-08-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over ten years old. It may no longer be up to date. Opinions may have changed.


This is a small PowerShell script which emails your users that their password is going to expire in X days. This is needed when you have an Active Directory and Exchange Environment, but your users do not log in to a Windows machine bound to the Active Directory, but for example a Mac OS X or Linux machine with Full Disk Encryption enabled. Then they are not notified that their password is about to expire. This script can run as a scheduled task and scan and email your users that their password is about to expire.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

It is tested on a Windows Server 2008 environment, with Exchange 2010. Domain is not running in Mixed mode, all servers are Windows Server 2008 R2. The script is installed as a scheduled task on one of the Exchange Edge servers with the SMTP role, but it does not have to be there, because the SMTP server variable is configurable. The amount of days to email before a password expires is also configurable.

PowerShell setup

First we need to allow execution of unsigned Powershell scripts. This can be dangerous, so make sure your server security is adequate. Fire up a cmd.exe with elevated privileges, run it as admin and launch powershell. Then execute the following command:

Set-ExecutionPolicy unrestricted

This does the following:

Load all configuration files and run all scripts.
If you run an unsigned script that was downloaded from the
internet, you are prompted for permission before it runs.

More info on the Set-ExecutionPolicy cmdlet

The script

$ExpireDays = 30
$SendingEmail = "helpdesk@example.org"
$SMTPHost="127.0.0.1"
Import-Module ActiveDirectory
$AllUsers = get-aduser -filter * -properties * |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
foreach ($User in $AllUsers)
{
  $Name = (Get-ADUser $User | foreach { $_.Name})
  $Email = $User.emailaddress
  $PasswdSetDate = (get-aduser $User -properties * | foreach { $_.PasswordLastSet })
  $MaxPasswdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
  $ExpireDate = $PasswdSetDate + $MaxPasswdAge
  $Today = (get-date)
  $DaysToExpire = (New-TimeSpan -Start $Today -End $ExpireDate).Days
  $EmailSubject="Password Expiry Notice - your password expires in $DaystoExpire days"
  $Message="
  Dear $Name,
  <p> Your Password expires in $DaysToExpire days.<br />
  To change your password, please go to https://webmail.example.org/owa/, log in and click the settings button, then click Change Password. <br />
  If you do not update your password in $DaysToExpire days, you will not be able to log in, so please make sure you update your password. <br />
  If you need any help, contact us via email: helpdesk@example.org, by internal phone 1337, or walk by Building C, Floor 4, Room C41A. <br />
  Sincerely, <br />
  The IT Department. <br />
  </p>"
  if ($DaysToExpire -lt $ExpireDate)
  {
    echo "$Email expires in $DaysToExpire days"
    Send-Mailmessage -smtpServer $SMTPHost -from $SendingEmail -to $Email -subject $EmailSubject -body $Message -bodyasHTML -priority High

  } 
}

Save this as a .ps1 script, for example Expiry-Mail-30.ps1. Then set up a scheduled task to run every night, without the user being logged in, as action executing this script. It will send out an email to all users with a password that expires in 30 days, it will keep doing so until they change it.

For the helpdesk

You can also change the script to send the email directly to the IT helpdesk, so that they can manually contact the user. Or you can do it both, or create a copy script and task with the $ExpireDays set to 2 and the email to IT Helpdesk, so that the user has a month to change their password, and the IT staff can help the user before it is to late.

Tags: active-directory , exchange , ldap , microsoft , outlook , owa , password , software , windows-server