Alert users about certificate expiration on PowerShell
Recently there was a task to notify users about the expiration of the certificate on eToken, with the help of which they are authorized in the workplace.
Certificates on eToken are generated through the Windows Certification Authority for a period of 1 year. It was necessary to notify users for a week, so that they could come to the IT department in a timely manner to extend.
The task was complicated by the fact that the owner’s mail address was not specified in the certificates. And therefore it was necessary to take this address from AD.
Aladdin offers its own Token Management System software for this purpose, but for this it is necessary to pay and to use it only for notification is somehow not correct.
The main resource for writing this script was saytik (here, by the way, a lot and well written about working with a certificate authority through PowerShell).
To find the mailing address of a user in AD, I used the ActiveRoles Management Shell module for Active Directory; you can download the module for working with AD here www.quest.com/powershell/activeroles-server.aspx
I had no problems on Win7, but to install on XP or 2003 I need to deliver components. For more on this with links to download and description of the commands written here .
To run the script from a file in PowerShell, run the Set-ExecutionPolicy RemoteSigned command.
Certificates on eToken are generated through the Windows Certification Authority for a period of 1 year. It was necessary to notify users for a week, so that they could come to the IT department in a timely manner to extend.
The task was complicated by the fact that the owner’s mail address was not specified in the certificates. And therefore it was necessary to take this address from AD.
Aladdin offers its own Token Management System software for this purpose, but for this it is necessary to pay and to use it only for notification is somehow not correct.
The main resource for writing this script was saytik (here, by the way, a lot and well written about working with a certificate authority through PowerShell).
To find the mailing address of a user in AD, I used the ActiveRoles Management Shell module for Active Directory; you can download the module for working with AD here www.quest.com/powershell/activeroles-server.aspx
I had no problems on Win7, but to install on XP or 2003 I need to deliver components. For more on this with links to download and description of the commands written here .
#
Add-PSSnapin Quest.ActiveRoles.ADManagement
#
$CaView = New-Object -ComObject CertificateAuthority.View
$CaView.OpenConnection("serv\NEWCERTSERV")
# ,
$properties = "RequestID","RequesterName","NotAfter"
$CaView.SetResultColumnCount($properties.Count)
$properties | %{$CAView.SetResultColumn($CAView.GetColumnIndex($False, $_))}
# , 7
$RColumn = $CAView.GetColumnIndex($False, "NotAfter")
$CaView.SetRestriction($RColumn,0x8,0,[datetime]::Now)
$CaView.SetRestriction($RColumn,0x4,0,(Get-Date).AddDays(+7))
# ,
$RColumn = $CAView.GetColumnIndex($False, "Disposition")
$CaView.SetRestriction($RColumn,1,0,20)
#
$Certs=@()
$Row = $CaView.OpenView()
while ($Row.Next() -ne -1) {
$Cert = New-Object psobject
$Column = $Row.EnumCertViewColumn()
while ($Column.Next() -ne -1) {
$current = $Column.GetName()
$Cert | Add-Member -MemberType NoteProperty -Name $($Column.GetName()) -Value $($Column.GetValue(1)) -Force
}
$Certs+=$Cert
$Column.Reset()
}
$Row.Reset()
#
$Body=""
#
$Body_One=""
#
$smtp = New-Object net.mail.smtpclient("mailserv")
#
foreach ($i in $Certs){
$Body_One+="№: "
$Body_One+=$i.RequestID
$Body_One+=", : "
$Body_One+=$i.{Request.RequesterName}
$Body_One+=", : "
$Body_One+=$i.NotAfter
$Body_One+="`n"
# ,
$user_mail = Get-QADUser $i.{Request.RequesterName} -DontUseDefaultIncludedProperties -IncludedProperties 'mail' -SerializeValues
#
$smtp.Send("notice@domain.ru", $user_mail.mail, "eToken, .", $Body_One+" eToken' 666.")
$Body+=$Body_One
$Body_One=""
}
#
If ($Body -ne ""){
$smtp.Send("notice@domain.ru", "adm1@domain.ru", "eToken, .", $Body)
$smtp.Send("notice@domain.ru", " adm1@domain.ru", "eToken, .", $Body)
$smtp.Send("notice@domain.ru , " adm1@domain.ru", "eToken, .", $Body)
}To run the script from a file in PowerShell, run the Set-ExecutionPolicy RemoteSigned command.
')
Source: https://habr.com/ru/post/138183/
All Articles