Alert users about password expiration and account validity
Hello!
Faced with the situation when on January 1, many users expired account and they were blocked. Accordingly, they could not work, a squall of telephone calls, starting in the morning of the 1st day. It was decided to warn users in advance about the expiration of the password and account validity by mail. With a copy of the list of warned users to the administrator.
Implementation scripts under the cut.
First you need to install ActiveRoles Management Shell for Active Directory .
The script warns about the expiration of the password of ordinary users for 7 days, 3 days and the day of expiration. Top managers warned for 5 days before expiration.
')
The script warns users about the expiration of the account for 30, 20, 14, 7, 5 days.
Warn users in advance. Comments are welcome.
Faced with the situation when on January 1, many users expired account and they were blocked. Accordingly, they could not work, a squall of telephone calls, starting in the morning of the 1st day. It was decided to warn users in advance about the expiration of the password and account validity by mail. With a copy of the list of warned users to the administrator.
Implementation scripts under the cut.
First you need to install ActiveRoles Management Shell for Active Directory .
Script password expiration
The script warns about the expiration of the password of ordinary users for 7 days, 3 days and the day of expiration. Top managers warned for 5 days before expiration.
Add-PSSnapin Quest.ActiveRoles.ADManagement function send-eMail($to, $PasswordAge, $Days) { if ($PasswordAge -eq 0) { $subject = " ." } else { $subject = " $PasswordAge $Days." } write-host $to $PasswordAge $Enc = [Text.Encoding]::UTF8 Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject "! $subject" ` -body "<span style='font: 11pt serif;'> .<br/> $subject<br /> , .<br /> «<a href='http://portal/Pages/Instructions.aspx'></a>».<br />" ` -priority High ` -dno onFailure ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function send-eMail-log($log, $to, $subject) { $Enc = [Text.Encoding]::UTF8 $body = "<span style='font: 10pt tahoma;'>$log</span>" Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject $subject ` -body $body ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function get-dayCut($PasswordAge) { $Days = "" if ($PasswordAge -le 20 -and $PasswordAge -ge 5) { $Days = "" } if ($PasswordAge -le 4 -and $PasswordAge -ge 2) { $Days = "" } if ($PasswordAge -eq 1 -or $PasswordAge -eq 21) { $Days = "" } return $Days } # 45 : $PasswordAgeMax = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days write-host " : "$PasswordAgeMax; $log = "" $logBoss = "" # -- 7, 3 0 --------------------------------------------------------------------------------------------- Get-QADUser -SizeLimit 0 | Where-Object {$_.AccountIsDisabled -eq $False} | Where-Object {$_.PasswordNeverExpires -eq $False} | % { $PasswordAge = $PasswordAgeMax - ($_.passwordage.days) - 1 $PasswordAge = [int]$PasswordAge if ($_.parentContainer -ne "domain/General/User") { if ($PasswordAge -eq 7 -or $PasswordAge -eq 3 -or $PasswordAge -eq 0) { $Days = get-dayCut $PasswordAge $addParam = $_.Title + ", " + $_.Department if (($_.mail).Length -gt 0) { send-eMail $_.mail $PasswordAge $Days $addParam = $addParam + ", " + $_.mail } if ($PasswordAge -le 1) { $log = $log + "<span style='color:red;'>" + $_.DisplayName + ", " + $PasswordAge + " (" + $addParam + ")</span><br />" } else { $log = $log + $_.DisplayName + ", " + $PasswordAge + " (" + $addParam + ")<br />" } } } else { $Days = get-dayCut $PasswordAge; write-host $_.DisplayName": "$PasswordAge; if ($PasswordAge -le 5 -and $PasswordAge -ge 0) { send-eMail $_.mail $PasswordAge $Days } if ($PasswordAge -le 0) { $logBoss = $logBoss + $_.DisplayName + ", (" + $_.mail + ", " + $_.telephoneNumber + ")<br />" } elseif ($PasswordAge -le 5 -and $PasswordAge -gt 0) { $logBoss = $logBoss + $_.DisplayName + ", " + $PasswordAge + " " + $Days + " (" + $_.mail + ", " + $_.telephoneNumber + ")<br />" } } } if ($log.Length -gt 0) { send-eMail-log $log "IT<it@domain.com>" " " } if ($logBoss.Length -gt 0) { "admin1", "admin2", "admin3" | % {send-eMail-log $logBoss "$_@domain.com" " "} } ')
Account expiration script
The script warns users about the expiration of the account for 30, 20, 14, 7, 5 days.
Add-PSSnapin Quest.ActiveRoles.ADManagement function send-eMail($to,$lsDayCount) { write-host $to $lsDayCount; $Enc = [Text.Encoding]::UTF8 Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject "! $lsDayCount " ` -body "<span style='font: 12pt serif;'> .<br/> $lsDayCount .</span>" ` -priority High ` -dno onFailure ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function send-eMail-log($log, $to, $subject) { $Enc = [Text.Encoding]::UTF8 $body = "<span style='font: 10pt tahoma;'>" + $log + "</span>" #-Cc "admin1@domain.com" ` Send-MailMessage -to $to ` -from "it@domain.com" ` -subject $subject ` -body $body ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function check-null($lsPar, $lbComma) { $lsTmp = $lsPar; if ($lsPar.Length -gt 0) { if ($lbComma) { $lsTmp = $lsPar + ", "; } } else { $lsTmp = ""; } return $lsTmp; } # -- 5, 7, 14, 20, 30 ------------------------------------------------------------------------------------- $targetdate5 = ((get-date).AddDays(5)).ToShortDateString(); $targetdate7 = ((get-date).AddDays(7)).ToShortDateString(); $targetdate14 = ((get-date).AddDays(14)).ToShortDateString(); $targetdate20 = ((get-date).AddDays(20)).ToShortDateString(); $targetdate30 = ((get-date).AddDays(30)).ToShortDateString(); $gLog = ""; $gLog5 = ""; $gLog7 = ""; $gLog14 = ""; $gLog20 = ""; $gLog30 = ""; write-host $targetdate5 $targetdate7 $targetdate14 $targetdate20 $targetdate30; Get-QADUser -SizeLimit 0 | Where-Object {$_.AccountExpires -ne $null} | Where-Object {$_.AccountIsDisabled -eq $False} | % { $gObjUser = $_; $gsUserOpt = ""; 5,7,14,20,30 | % { $targetdate = ((get-date).AddDays($_)).ToShortDateString(); if (($gObjUser.AccountExpires).ToShortDateString() -eq $targetdate) { write-host $gObjUser.DisplayName"`t"($gObjUser.AccountExpires).ToShortDateString(); if (($gObjUser.mail).Length -gt 0) { send-eMail $gObjUser.mail $_; } $gsUserOpt = (check-null $gObjUser.Title $TRUE) + (check-null $gObjUser.Department $TRUE) + (check-null $gObjUser.mail $TRUE) + (check-null $gObjUser.telephoneNumber $FALSE); if ($gsUserOpt.Length -gt 0) { if ($gsUserOpt.substring($gsUserOpt.length - 2, 2) -eq ", ") { $gsUserOpt = $gsUserOpt.substring(0, $gsUserOpt.length - 2); } $gsUserOpt = " (" + $gsUserOpt +")"; } $gsUserOpt = $gObjUser.DisplayName + $gsUserOpt +"<br />"; switch ($_) { 5 {$gLog5 = $gLog5 + $gsUserOpt; break} 7 {$gLog7 = $gLog7 + $gsUserOpt; break} 14 {$gLog14 = $gLog14 + $gsUserOpt; break} 20 {$gLog20 = $gLog20 + $gsUserOpt; break} 30 {$gLog30 = $gLog30 + $gsUserOpt; break} } } } } if ($gLog5.Length -gt 0) { $gLog = "<strong>5 , $targetdate5</strong><br />" + $gLog5 + "<br />"} if ($gLog7.Length -gt 0) { $gLog = $gLog + "<strong>7 , $targetdate7</strong><br />" + $gLog7 + "<br />"} if ($gLog14.Length -gt 0) { $gLog = $gLog + "<strong>14 , $targetdate14</strong><br />" + $gLog14 + "<br />"} if ($gLog20.Length -gt 0) { $gLog = $gLog + "<strong>20 , $targetdate20</strong><br />" + $gLog20 + "<br />"} if ($gLog30.Length -gt 0) { $gLog = $gLog + "<strong>30 , $targetdate30</strong><br />" + $gLog30 + "<br />"} if ($gLog.Length -gt 0) { "admin1", "admin2", "admin3" | % {send-eMail-log $gLog "$_@domain.com" " "} } Warn users in advance. Comments are welcome.
Source: https://habr.com/ru/post/204796/
All Articles