UPDATE: March 1, 2020
Please use the updated script: https://thesysadminchannel.com/get-password-expiration-date-using-powershell-active-directory/
Chances are if you manage users in your organization, you’re going to need to Check Password Expirations In Active Directory to see who’s account is in need of a password change. This can be especially useful if you would like to notify those users several days in advance so they’re not calling the help desk on the day of.
We want to automate as much of this as possible and luckily, we have Powershell to do all the heavy lifting.
Powershell Script to Check Password Expirations in Active Directory
<#
#requires -Module ActiveDirectory
.SYNOPSIS
Checks to see if the account is X days within password expiration.
For updated help and examples refer to -Online version.
.DESCRIPTION
In this example if the $emailDate is set to -80 and $expiredDate is set to -90 it will show all users whos passwords are within 10 days of expiration.
For updated help and examples refer to -Online version.
.NOTES
Name: Get-PasswordExpiredUsers.ps1
Version: 1.0
Author: The Sysadmin Channel
Date of last revision: 3/18/2017
.LINK
https://thesysadminchannel.com/powershell-script-check-password-expirations-in-active-directory -
#>
Import-Module ActiveDirectory
#Set the number of days within expiration. This will start to send the email x number of days before it is expired.
$DaysWithinExpiration = 10
#Set the days where the password is already expired and needs to change. -- Do Not Modify --
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
$emailDate = (Get-Date).addDays(-($MaxPwdAge - $DaysWithinExpiration))
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -lt $emailDate) -and (PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}}, @{name = "EmailAddress"; Expression = {$_.mail}} | Sort-Object PasswordLastSet
$ExpiredUsers
Copy and Paste the contents of this file and save it as Get-PasswordExpiredUsers.ps1. Make sure you run the script as an administrator. When you run the file it should look something like this.
This will filter all users and only show the samaccountname, PasswordLastSet, DaysUntilExpired and the EmailAddress
Great!! We have the script, but what good does that do us if we don’t notify them. After all, that was the point to begin with right? Of course it was. We want to automate the milk out of this so we can basically set it and forget.
Send Email to Notify Users of Password Expiration
Now we just have to append this part to the rest of the script so we can notify our users automatically. Here is the rest of the script.
Start-Sleep 5
Foreach ($User in $ExpiredUsers) {
# Creating .NET Objects
$msg = new-object Net.Mail.MailMessage
# Setting up the email parameters.
$msg.From = "admin@" + ($env:userdnsdomain).ToLower()
$msg.To.Add($User.EmailAddress)
$msg.Subject = "Your Password Will Expire in " + $User.DaysUntilExpired + " days"
$msg.Body = "Hello,`n`nThis email is to notify you that your password will expire in " + $User.DaysUntilExpired + " days.`n`nPlease consider changing it to avoid any service interruptions.`n`nThank you,`nThe I.T. Department."
# Send an email with an alert
$smtpServer = "mailhost"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($msg)
Start-Sleep 2
Remove-Variable msg
Remove-Variable smtp
Remove-Variable smtpServer
}
Great script. Thanks for making it available!