Password expiration and email notification

Password expiration and email notification

I. Presentation

In this tutorial, I propose to set up a PowerShell script that will send an e-mail notification to users X days before the expiry of their Active Directory password, in order to invite them to change the password before the deadline.



Depending on the environment, and provided there is a password policy in place (which, unfortunately, is not so obvious.), password expiration on a user account can cause login problems on services based on Active Directory authentication. In fact, I discussed this issue in more detail in my article “Active Directory and credential caching”.

One of the “solutions” consists in notifying the users that their password will expire, a few days before the D-day when they will imperatively have to change the password. This is what we will see today, going through PowerShell.

II. Retrieve password expiration date with PowerShell

Within the Active Directory, and more specifically user accounts, each object has an attribute that contains the date and time of expiration of the password. This value is calculated according to the password policy applied to the user. Here is the name of the attribute I am referring to:

msDS-UserPasswordExpiryTimeComputed

This value is visible with the GUI, with the console”Active Directory Users and Computers“via tab”Attribute Editor“, or via PowerShell. Here is an example:

Active Directory - msDS-UserPasswordExpiryTimeComputed

The value of this attribute cannot be directly modified, because it is a constructed attribute whose value has the particularity of being calculated from other attributes (pwdLastSet) and objects. Full details of this attribute are available in the Microsoft documentation:

This information is also visible with the history command “net user“, specifying a user name, then looking at the field “Password expires“. Here is an example with the user “guy.mauve” :

net user guy.mauve /domain

However, I find the value of the Active Directory attribute to be more reliable than the one returned by this command.

With PowerShell, you can display the password expiration date for a set of users with this command:

Get-ADUser -Filter { (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)} –Properties "DisplayName", "mail", "msDS-UserPasswordExpiryTimeComputed" | 
           Select-Object -Property "Displayname","mail",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

This command returns information for all activated users whose password has an expiration date. Here is an example output:

Active Directory - Password expiration date

III. Password expiration: email notification

Email is a privileged and effective communication channel in business, although there are also other communication solutions such as Microsoft Teams. Sending a notification by e-mail to the user a few days before the expiry of his password will allow you to communicate directly with him, automatically.

Now let’s look at the PowerShell script, which is available on my GitHub: you can reuse it as is or adapt it to your liking. To use this script named “Send-ADPasswordExpirationNotifications.ps1“, you only need to modify these few variables:

# Nombre de jours avant l'expiration pour envoyer la notification
$DateThreshold = 7

# Serveur SMTP - Nom du serveur
$SMTPServer = "smtp.domaine.fr"

# Serveur SMTP - Numéro de port
$SMTPPort = 25

# Serveur SMTP - Adresse e-mail de l'expéditeur
$SMTPSender = "[email protected]"

# Serveur SMTP - Encodage Email
$SMTPEncoding =[System.Text.Encoding]::UTF8

# Envoyer une synthèse aux administrateurs
[boolean]$SendReportAdmin = $true

# Adresse e-mail du destinataire pour la synthèse
$SendReportAdminEmail = "[email protected]"

You can adapt the script to support SSL and/or Credentials in Send-MailMessage commands (for sending emails) depending on your environment. You can also add the “-Cc” option with your email address, if you want to receive a copy of the email sent to each user.

When this script runs, it will retrieve the password expiration date for all enabled users whose “Password never expires” option is unchecked. Ensuite :

  • If the notification threshold is set to “7”, an email will be sent to the user if his password expires in 7 days or less than 7 days.
  • In case the password has already expired, the notification is not sent.

Each user will receive a notification similar to this:

Notification e-mail - Expiration mot de passe Active Directory

The IT department will receive an e-mail summary with the list of users whose password will expire soon. This email is sent only if “$SendReportAdmin = $true” so you can activate or not this additional report.

Active Directory - Summary of notifications for admins

The script is available here:

For these notifications to be sent automatically, this script must be run in a scheduled task. On the domain controller with the FSMO roles it will be fine in my opinion. As for the account used for the execution of the scheduled task, a gMSA is recommended.

The action to launch will look like this:

powershell.exe -File "C:\Scripts\Send-ADPasswordExpirationNotifications.ps1"

Like this :

PowerShell Script - Scheduled Task

If you’re not very comfortable with this part of the setup, check out these two articles:

IV. Conclusion

Thanks to the implementation of this script, your users will be notified that their password will expire soon and will be able to reset it before the deadline specified in the e-mail.

If you have any suggestions for improving the script”Send-ADPasswordExpirationNotifications.ps1“, please let me know.

Active Directory,Powershell,

#Password #expiration #email #notification

Leave a Comment

Your email address will not be published. Required fields are marked *