Script to email users of AD password expiration

December 14, 2023

[avatar user="Jamie Poindexter" size="thumbnail" align="left" link="file" /] by Jamie Poindexter | Oct 26, 2022 | Jamie's Tech Corner, Our blogConsistently updating passwords is something we know needs to be done but most don’t. Active Directory allows you to setup a policy in group policy management to determine how often the users need to reset as well as other requirements for the password and reminders on when that reset needs to be done. The message though to IT people is obvious but not so much to the end users. The balloon box that appears on login usually is ignored or pushed to the back burner and ultimately forgotten resulting in a ticket to support once it expires. I had this exact problem and found a script that I modified to send an email out to users that were approaching the reset (in my case 10 days), so they were less likely to ignore it.Check out this link from Lazy Admin -

The script when run from the AD server will ask for the SMTP details/login for the account that will be used to send the email to the end users. This info will be cached on that server so then you can schedule this script using task scheduler to run on a regular basis.

One thing that the Lazy Admin noted was the AD users need to have emails associated with each account you want to monitor. You will have to add the email address to the user’s detail tab as well as the attribute tab and the proxied address field. If you are using AD sync to sync the users to O365 this should already be setup as it was in my case, so no changes were needed to AD. When you run the script, you will be able to monitor as it checks through each account and if one doesn’t have an email, you will see the line entry for it.The script can be modified as well as to how long before the reset it will send an email.