Password Expiration Notification with PowerShell

Your password is expiringYou may have seen this message if you work from a PC connected to a domain. Windows is letting you know that your password is expiring soon, and you should change it. This is an extremely helpful feature provided you are using a Windows PC connected to your domain as your primary device. But what if you’re using a Mac, or a mobile device (i.e. phone, tablet), or if you have vendor AD accounts whose devices are not joined to your domain? I have received too many tickets from vendors not being able to successfully authenticate to the VPN due to their password expiring. Some VPN clients don’t allow the user to reset their password after their password has expired resulting in a password reset service ticket. If only there was a way to notify users before their password expires regardless of the device they’re using.

Introducing Send-ADUserPasswordExpirationNotification

I wrote a PowerShell module (MrAADAdministration) to send email notifications to Active Directory users whose passwords are expiring within a set number of days. The function Send-ADUserPasswordExpirationNotification by default gets all users whose passwords are expiring within 10 days and sends the user a friendly email to remind them to change their password.

Requirements and Features

The user must have an email address populated in their AD account. You can filter usernames by pattern and/or scope your search base via distinguished name. If you’d like to notify the users earlier than the default ten days, you can just set the NotificationStartDay parameter. Let’s look at how you’d implement this for your own domain.

Get-Started

Download the module from the PowerShell Gallery.

After you have installed the module, you may wish to customize the email notification message to include your service desk contact information. You can also modify the default parameter values for the from, to, and SMTP addresses.

After you have customized the message you’re ready to send your first test notification.

Example:

Assuming everything works you should receive two emails. One email will be the notification email informing you of your password expiring. The other email will be the detailed report of all evaluated user accounts and if they were sent a notification.

Once you have tweaked your default parameter values and notification message you’re ready to schedule the script to run via Task Scheduler on a daily or weekly basis.

We’ve been using this process for over a year now, and it’s helped cut down on many of the tickets for password resets.

But wait, there’s more..

There is more in the MrAADAdministration module, but we’ll save that for another day.