Zachary Loeber

I eat complexity and am never without a meal.

Powershell: New-ADPasswordReminder

A single, self-extracting, self-scheduling, AD password change notice PowerShell script.

One of the great things about sharing PowerShell code is that it can be expanded upon by the community. Here is a case where I’ve taken someone else’s great work and made it (hopefully) a little bit better.

Description

This script notifies users that their password is about to expire. I’ve taken the work done by others and added some features to make it easier to schedule and manage.

The overall changes to the original script were meant to facilitate multiple runs of the script to send out notifications in a less spammy way. For example:

  1. 7 Days until the password will expire -> Send a warning (yellow) email notice
  2. 3 Days until the password will expire -> Send an alert (red) email notice
  3. 1 Day until the password will expire -> Send a final alert (red) notice

I’ve also made numerous readability and other feature additions. This includes (but is not limited to);

  1. Ability to distribute the script in 1 file and self-extract the gif files used in the notices.
  2. Total rewrite of the notice generation to be a bit more centralized (and therefore easier to locate and customize if needed)
  3. Elimination of global variables
  4. Conversion of all local variables into parameters
  5. Self-referencing scheduled task installation routine (schedules the task with the same parameters the script itself was passed)
  6. A ‘LooseMatching’ mode to facilitate exact matching.

If you want the dummy way of running this script simply copy to your server and run the following command:

Show-Command .\New-ADPasswordReminder.ps1

You then get a nice little GUI like this:

The examples below should be sufficient to get you started with this script.

In newer versions of Windows AD you can create managed service accounts which reduce yet another account password you have to keep note of in your environment. I’ve tested this script using an MSA and it seems to work just fine. Here are the steps you’d need to follow to update the scheduled tasks created by this script to use an MSAs instead.

Firstly you will need to setup your MSA. Replace anything in angle brackets as needed (Computer = the server you will be scheduling the tasks on):

Next create your scheduled tasks like you normally would. When prompted for a user id/password put in your administrative account. This will only be a temporary assignment until you update with the MSA.

This example will schedule a password change notification 7 days before it needs to be changed.

You will need to update the computer where the scheduled tasks will run to allow the MSA some local rights. Here is a handy script to do just that (notice the MSA includes the $ at the end).

Now that you have your starting scheduled task you will need to update it to use the MSA. In this example I create a new scheduled task like the existing one but using the MSA instead.

I think you can just update the task with the MSA and an empty password as well:

And that’s all there is to it really. The scheduled task will run if all the local rights are set and you prayed to the correct IT gods and the phase of the moon is just right.

Github Project Site: https://github.com/zloeber/New-ADPasswordReminder

Original Script Site: http://www.ehloworld.com/318