ADPasswordExpiration-Refactored.ps1

1. <#
2.    
3.     On Null Email Addresses
4.  
5.         If the user has no email address specififed the script will check extensionAttribute6 for an
6.         email address. If extensionAttribute6 is null $DefaultTo will be used instead.
7.  
8.         You should place an email address in extensionAttribute6 for service accounts and admin accounts
9.         that do not have their own email address.
10.  
11. #>
12.  
13. #########################################################################
14. # User Variables
15. #########################################################################
16. # Days out from expiry on which to send emails as an array.
17. # ie, (5, 2, 1) will send emails if the password is set to expire in 5 days, 2 days, or 1 day.
18. $SendEmails = @(10,5,4,3,2,1)
19.  
20. # Email Variables
21. $MailFrom = "passwords@company.com" # Send email from
22. $MailSMTPServer = "10.25.25.25" # Send email via
23. $DefaultTo = "itteam@company.com" # Send email here if user has no email address and extensionAttribute6 is null or an invalid address.
24.  
25. # Subject and Body - {0} replaces with number of days, {1} replaces with the user's full name.
26. $MailSubject = "Your Password is Set to Expire in {0} Days"
27.  
28. $MailBody = @"
29. Good Morning,
30.  
31. The network password for {1} will expire in {0} days. Please change your password as soon as possible using the instructions below.
32.  
33. From a computer on our network:
34. 1. Press Ctrl+Alt+Delete on your keyboard.
35. 2. Select "Change Password" from the menu.
36. 3. Enter your old password in the top box.
37. 4. Enter and confirm your new password.
38. 5. Click "Change."
39.  
40. Complexity requirements:
41. - Your password must be at least 15 characters in length.
42. - Your password must contain three of the following four types of characters: lowercase letters, uppercase letters, numbers, and special characters (i.e. $, @, *, !)
43. - Your password may not be one of the last 5 passwords you have used.
44. - Your password may not contain your first name, last name, or username.
45.  
46. Regards,
47. IT Support
48. "@
49.  
50. #########################################################################
51. # Static Variables - Do Not Change
52. #########################################################################
53. # $ExpireDays is the highest number found in $SendEmails.
54. $ExpireDays = $($SendEmails | Measure-Object -Maximum).Maximum
55.  
56. # Create the output aaray.
57. $Output = @()
58.  
59. #########################################################################
60. # Script Logic
61. #########################################################################
62. # Send email function.
63. function Send-ExpireEmail ($To, $From, $SMTPServer, $Subject, $Body, $Days, $Name)
64. {
65.     $FinalBody = $Body -f $Days, $Name
66.     if ($Days -eq "1")
67.     {
68.         $FinalBody = $FinalBody -ireplace "Days", "Day"
69.     }
70.     $FinalSubject = $Subject -f $Days, $Name
71.     if ($Days -eq "1")
72.     {
73.         $FinalSubject = $FinalSubject -ireplace "Days", "Day"
74.     }
75.    
76.     Send-MailMessage -To $To -Subject $FinalSubject -Body $FinalBody -SmtpServer $SMTPServer -From $From
77. }
78.  
79. # Find expiring users that match criteria.
80. ## Retrieve relevant properties from objects.
81. $ADProperties = @(
82.     'PasswordLastSet',
83.     'PasswordNeverExpires',
84.     'extensionAttribute6',
85.     'Mail',
86.     'msDS-UserPasswordExpiryTimeComputed'
87. )
88.  
89. ## Select relevant properties from query.
90. $ADSelect = @(
91.     'Name',
92.     'Mail',
93.     'extensionAttribute6',
94.     'PasswordLastSet',
95.     @{n = 'PasswordExpirationDate'; e = {[datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed')}},
96.     @{n = 'PasswordDaysToExpired'; e = {(New-Timespan -End ([datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed'))).Days}}
97. )
98.  
99. ## User Query
100. $Users = Get-ADUser -Properties $ADProperties -Filter {(PasswordNeverExpires -eq $False) -and (Enabled -eq $true)} | Select-Object $ADSelect | Where-Object {($_.PasswordDaysToExpired -le $ExpireDays) -and ($_.PasswordDaysToExpired -ge 0)}
101.  
102. # Determine attributes and whether or not to send email based on $SendEmail
103. foreach ($User in $Users)
104. {
105.     $Span = $User.PasswordDaysToExpired
106.    
107.     if ($Span -in $SendEmails)
108.     {
109.        
110.         if ($User.Mail -eq $null -and $User.extensionAttribute6 -eq $null)
111.         {
112.             $MailTo = $DefaultTo
113.         }
114.         elseif ($User.Mail -eq $null -and $User.extensionAttribute6 -match "^(?("")("".+?""@)|(([0-9a-zA-Z]((\.(?!\.))|[-!#\$%&'\*\+/=\?\^`\{\}\|~\w])*)(?<=[0-9a-zA-Z])@))(?(\[)(\[(\d{1,3}\.){3}\d{1,3}\])|(([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,6}))$")
115.         {
116.             $MailTo = $User.extensionAttribute6
117.         }
118.         else
119.         {
120.             $MailTo = $User.Mail
121.         }
122.        
123.         $Output += New-Object -TypeName PSObject -Property @{
124.             Name = $User.Name
125.             Email = $MailTo
126.             Expires = $User.PasswordExpirationDate
127.             Span = $Span
128.         }
129.     }
130. }
131. # Per-user that meets criteria: send emails.
132. foreach ($ExpiringUser in $Output)
133. {
134.     #Call Send-ExpireEmail
135.     Send-ExpireEmail -To $($ExpiringUser.Email) -From $MailFrom -SMTPServer $MailSMTPServer -Subject $MailSubject -Body $MailBody -Days $($ExpiringUser.Span) -Name $($ExpiringUser.Name)
136. }
137.  
138. # Use for testing
139. # Comment out foreach loop above to supress emails while testing.
140. ## $Output | Sort-Object span | Format-Table