Active Directory Password Expiring Email Notification

microsoft black logo
microsoft black logo

Estimated reading time: 6 minutes

Does your 1st line help desk get fed up of having to reset end users passwords “because they didn’t know their password was expiring?”

Well, let us show you a way that you can utilise System Center Orchestrator (SCORCH), PowerShell and Active Directory Web Services (ADWS) to email all end users a few days before their password is due to expire and also send them a daily email if they still do not change their password after the first notification.

Prerequisites

You will need to have SCORCH setup in your environment and also ADWS so that our PowerShell script can talk to your Active Directory to get the account information.

You will also need a good understanding of Active Directory, SCORCH Runbooks, PowerShell and Email. But we will try to make this as simple as possible.

Instructions

First of all, we need to load up SCORCH and create a new runbook. Give the runbook an appropriate name and then drag in a Monitor Date/Time activity from under the Scheduling branch:

Active Directory Password Expiring Email Notification 1

Now, you have a choice to make on how often you want this runbook to run. For the purposes of this guide, we are going to run it every Monday at 8am. So, double click the Monitor Data/Time item and click the Details tab on the left and enter 08:00 under the Interval section:

Active Directory Password Expiring Email Notification 2

You can also go ahead and click the General tab and give the item a better name. For this guide, we have called it 08:00 Check.

So we now have our runbook setup to run at 08:00 everyday, but we only want it to run on a Monday. To do this, we need to create a schedule under Global Settings > Schedules:

Active Directory Password Expiring Email Notification 3

Right click the Schedule folder and click New > Schedule. This will bring up the New Schedule box, enter an appropriate name for the schedule and then click on the Details tab. This will now bring up the Days of week radio buttons. You should now make your selections and ensure that you tick all of the Occurrence tick boxes. So you should end up with something similar to this:

Active Directory Password Expiring Email Notification 4

Now we go back into our runbook and add a Check Schedule activity from under the Scheduling section and join the two schedules together:

Active Directory Password Expiring Email Notification 5

Then double click the Check Schedule item and give it an appropriate name (we have called our Check Mondays) and then click on the Details tab. From here, click the three dots in the box and browse to the schedule we just created:

Active Directory Password Expiring Email Notification 6

Then go ahead and click the Finish button.

Now we need to add our PowerShell script to the runbook so add a Run .Net Script item from under the System activity and then join the Check Mondays schedule item to the Run .Net Script:

Active Directory Password Expiring Email Notification 7

Now double left click the Link part you can see highlighted blue in the above image. This will bring up the Include Filters box:

Active Directory Password Expiring Email Notification 8

Click on the Check Mondays link within the Includes Filter tab. This will bring up a Published Data box where you should select Conforms to schedule option and click the OK button:

Active Directory Password Expiring Email Notification 9

Then click on the Value option which will bring up a drop down, select the value to be True:

Active Directory Password Expiring Email Notification 10

Click on the OK button and then you should have an Includes Filter that looks like this:

Active Directory Password Expiring Email Notification 11

Now we move back to our Run .Net Script. Double click it and it will take you into the Language Type. Click the three dots button and select PowerShell:

Active Directory Password Expiring Email Notification 12

Now we need to enter our PowerShell into the Script section. The PowerShell script we are going to use is below:

Import-Module ActiveDirectory
#Day of span to limit the Result
$SpanDays=”5″
#Settings
$Displayname=@()
$Mail=@()
$Days=@()
$Sam=@()
$DN=@()
#Get all Users which are enabled and Password will expire
$Users=Get-ADUser -filter {(Enabled -eq $True) -and
(PasswordNeverExpires -eq $False)} -Properties DisplayName,
msDS-UserPasswordExpiryTimeComputed, Mail, samaccountname,
distinguishedName | Where-Object {$_.DisplayName -ne $null} |
Select Mail, samaccountname,distinguishedName,
DisplayName,@{Name=”ExpiryDate”;Expression=
{([datetime]::fromfiletime($_.”msDS-UserPasswordExpiryTimeComputed”)).DateTime}}
#Go through each User and check if password will expire in the next XX Days, see Span configuration
foreach ($Entry in $Users)
{
$Span=NEW-TIMESPAN -Start (Get-Date) -End (Get-date($Entry.ExpiryDate))
if ($Span -le $SpanDays -and $Span -gt 0)
{
$Displayname+=$entry.DisplayName
$Mail+=$Entry.Mail
$Days+=$span.Days
$SAM+=$Entry.samaccountname
$DN+=$Entry.distinguishedName
}
}

Once you have entered the script, click on the Published Data tab:

Active Directory Password Expiring Email Notification 13
Active Directory Password Expiring Email Notification 14

Click on the Add button to enter each published data you want to use. These are the values you should enter:

  • Displayname
  • Mail
  • Days
  • Sam
  • DN

All of these should be string types and the Variables should be the same as the name. So you should end up with something like this:

Active Directory Password Expiring Email Notification 15

You can now go ahead and click on the Finish button.

We now need to add the final piece to the runbook – the email that will be sent to the end user. Under the Email activity, add a Send Email item to the end of the runbook and join the Run .Net Script to it:

Active Directory Password Expiring Email Notification 16

Double click the Send Email item and you can now setup your email to be sent as usual (i.e. the Connect tab with the sender address and mail server) but you can now also use the Published Data to create your email body.

The only part that should not be customised to your needs is the recipients. This should have the Published Data of {Mail from “Run .Net Script”} as this is where the email will be sent to. You could always add your help desk into the CC or BCC if they want to know that an end user has been notified that their password is expiring.

Click Finish and Check In and Run your runbook. What should happen now is that every users’ password that is due to expire in the next 5 days will get an email as your specified.

You can change around all the options to get it to how you want it but this is a great process to have once completed and should save your help desk a lot of unnecessary work (even if it just means telling an end user that they must have ignored the alerts that their password was expiring!!).

Feedback

if you have any questions or feedback on this guide, please feel free to leave us a message below in our comments section and we will get back to you as soon as we can.

Share this content:

Click to rate this post!
[Total: 1 Average: 5]
Avatar for Andrew Armstrong

About Andrew Armstrong

Founder of TechyGeeksHome and Head Editor for over 15 years! IT expert in multiple areas for over 26 years. Sharing experience and knowledge whenever possible! Making IT Happen.

View all posts by Andrew Armstrong

Leave a Reply

Your email address will not be published. Required fields are marked *