In my environment, i have a lot of users, which never comes to the office, but need remote access to the company network. for this they have an AD user account, which password will expires for company policy after 90 days. Cause they never logon to a domain computer, they didn’t get the “Change Password Request” when the password expires. So they will have at one day an blocked account, but needing it for syncing mobile phone or remote access over VPN. So i wrote a litle script which will notify every user per Mail about the expiring password:
You can dowload the script UserNotification-PasswordExpiration.vbs or copy/paste it from here:
' =========================================================================================== ' ' Script Information ' ' Title: UserNotification-PasswordExpiration.vbs ' Author: Josh Burkard ' Date: 01.07.2011 ' Description: - Notify AD-users X days before password expiration through email ' ' - you have to set this five variables: ' - days to notify Users before password expiration ' - OU's ' - sender-address ' - mail-server ' - domain (line 29) ' =========================================================================================== Const intMinDays = 10 strOUs = Array ( "OU=OU1,DC=domain,DC=local", "OU=OU2,DC=domain,DC=local") Const strMailFrom = "it@domain.org" Const strMailServer = "mail.domain.org" Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Const ONE_HUNDRED_NANOSECOND = .000000100 Const SECONDS_IN_DAY = 86400 ' Get MaxPasswordAge ' Set objDomain = GetObject("LDAP://DC=domain,DC=local") Set objMaxPwdAge = objDomain.Get("maxPwdAge") If objMaxPwdAge.LowPart = 0 Then ' The Maximum Password Age is set to 0 in the domain. Therefore, the password for all users does not expire. WScript.Quit Else dblMaxPwdNano = Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart) dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY) End If For Each strOU In strOUs ' Create connection to AD ' Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" ' Create command ' Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection ' Execute command to get all users in OU ' objCommand.CommandText = "<LDAP://" & strOU & ">;(&(objectclass=user)(objectcategory=person));adspath,distinguishedname,sAMAccountName;Mail;subtree" Set objRecordSet = objCommand.Execute On Error Resume Next ' Show info for each user in OU ' Do Until objRecordSet.EOF ' Show required info for a user ' strUserDN = objRecordSet.Fields("distinguishedname").Value Set objUser = GetObject("LDAP://" & strUserDN) If instr(lcase(objUser.distinguishedName), "ou=users inactive") = false AND instr(lcase(objUser.distinguishedName), "ou=service accounts") = false AND instr(lcase(objUser.distinguishedName), "ou=public") = false Then ' The User is not in one of the special OU intUserAccountControl = objUser.Get("userAccountControl") If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then ' The password does not expire. Else ' WScript.Echo "The password expires." dtmValue = objUser.PasswordLastChanged If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then ' The password has never been set Err.Clear() Else ' The passord has been set and will expire intDaysTillExpiration = Int(dtmValue - Now + dblMaxPwdDays) If intDaysTillExpiration = 10 Then ' The password will expire in 10 days. The user will be notified. SendNotification objUser.Get("givenName") & " " & objUser.Get("sn"), objUser.Get("mail"), intDaysTillExpiration, DateValue(dtmValue + dblMaxPwdDays) & " / " & TimeValue(dtmValue + dblMaxPwdDays) End If End If End If End If ' Move to the next user ' objRecordSet.MoveNext Loop ' Clean up ' objRecordSet.Close Set objRecordSet = Nothing Set objCommand = Nothing objConnection.Close Set objConnection = Nothing Next Function SendNotification (strName, strEmail, intDaysTillExpiration, strDate) Set objEmail = CreateObject("CDO.Message") objEmail.From = strMailFrom objEmail.To = strEmail objEmail.Subject = "Windows-Kennwort" objEmail.Textbody = "Hello " & strName & Chr(13) & Chr(10) & Chr(13) & Chr(10) & _ "Your windows password will expire in " & intDaysTillExpiration & " days. After this you can't use it anymore and can't logon to the Company XYZ network. " & Chr(13) & Chr(10) & _ "Please change your password at any windows computer inside the Company XYZ network before " & strDate & "." & Chr(13) & Chr(10) & Chr(13) & Chr(10) & _ "For any questions or problems, please contact your IT departement " & strMailFrom objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strMailServer objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objEmail.Configuration.Fields.Update objEmail.Send Set objEmail = Nothing End Function