Active Directory Password Expiry Reminder Email

If you have managed an Active Directory installation that has a large number of users who connect to the network infrequently, you may have faced a problem where the user’s password expires when they are away from the network and possibly leaving them in a situation where they are not able to reset their password remotely.

I recently was in this situation and had to write a script to intimate users about an impending password expiry. Here is what the script does:

The script queries your domain for all users and checks for the last password change date. This value is compared against you max password age value and then sends an email reminder to the user that is password is about to expire in x days. This email reminder is sent 9, 6 and 3 days before the actual password expiry date, giving the user enough time to reset the password without getting locked out.

You can schedule the script to run every day in which case you will need to write a simple batch file to call this script and maybe even log the output to a file. The script can be run under the system account. You can save the following line as a batch file that can be used to call the script:

cscript “Path\to\the\vbs\script” > PwdExpyEmail.log

You can download the script here.

Note: You will have to edit the values between the **** to suit your environment.

24 thoughts on “Active Directory Password Expiry Reminder Email

  1. Sheen,
    Were you able to get this working?
    Is there a way to have this send out to only users that I know use webmail only and don’t log into the network ever. Thats my issue why I need this. I don’t want to send this to everyone because I want to attach or put directions in it on how to change there PW via OWA.

    I have the same situation and would love for this to work.

    Thanks!

  2. I’m not sure why that error would come up, it seemed to run just now without any issues on my test server. The object has been defined and is being called properly. It might be a red herring. You can ignore it if you have tested it and found that it is working as expected.

  3. hi sheen. thanks for the script. everything appears to work even though i get an error message bellow
    C:\scripts\PasswordExpiryEmail.vbs(57, 3) Microsoft VBScript runtime error: Object required: ‘pwdLastSet’
    do you know why? this is for windows server 2008. the email notification still works as expected so i am willing to ignore if you don’t see any problems with the runtime error.

  4. Joey,
    You should be able to create a manual list that the script checks against before deciding whom to email. I will see if I can test this out for you. Let me know if you have a working solution before I post one.

    Sheen.

  5. Is there a way to have this send out to only users that I know use webmail only and don’t log into the network ever. Thats my issue why I need this. I don’t want to send this to everyone because I want to attach or put directions in it on how to change there PW via OWA.

    Thanks

  6. Thanks Sheen,

    I tested it again today , and looked for a user who’s password was going to expire in 9 days and it did in fact send the email! :)

    Just another question(s), when i try running cscript “Path\to\the\vbs\script” > %DATE%%TIME%.log it only produces the log file with the day e.g”Wed”, and as well it does not not add the .log extension? any clue why it would do that?

    And last question , did Rob P ever send a copy of his modified script?

    Thanks Again.

  7. Hi Helder,
    The password reminder emails are sent 9,6 and 3 days before the password expires since niether of these users hit those checkpoints, the script doesnt send an email. This is only a problem the very first time you run the script. If it is scheduled to run everyday, the user would get an email as designed every 9,6 and 3 days. Keep an eye on the logs and let me know if this works as expected.

    Sheen.

  8. Hello,

    I was trying to run your script, and it seems to run. But when looking at the log I noticed users that passwords were changed 8 days ago are on that list? as well after running it i see in the log a user of mine thats says their password was changed 43 days ago is not receiving any emails? (My Max Password Age is 45 days)? So i’m not sure what i’m doing wrong, this i what i have at the top of my script:
    PasswordExpiry=45
    strRootDomain=”dc=MYDOMAIN,dc=COM”
    strFromEmailAdd=”Password.Expiry@MYDOMAIN.COM”
    strSMTPServerName=”EXCH.MYDOMAIN.COM”
    strSMTPServerPort=25

    Not sure if the “strFromEmailAdd” actually needs to exist as well i even tried the i.p of my smtp server. Also i left the quotations on.

    Thanks for any help you can provide.

  9. Hi vijay,
    I’m doing fine. Hope you are well. Copy the script to a folder and the run it from the command line using ‘cscript c:\scriptname.vbs’ that should work. Let me know.
    Sheen

  10. Hi Sheen, hope you are doing well. I get below error when i
    tried the script using scheduled task. if i go to command prompt
    and run the vbs file, it gives me lot of popups notifying of each
    user in domain. Can you help. Thanks for the script. Microsoft (R)
    Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation
    1996-2001. All rights reserved. Input Error: There is no script
    engine for file extension “.vbs””.

  11. Great Script!

    I made a few tweaks:

    objMessage.Bcc = “email@domain.com” This allows to BCC me on all emails to end users that get a reset warning.
    objMessage.AddAttachment “c:\passwordpolicy.pdf” Toss in how to instructions for users.
    objMessage.HTMLBody = “” -This allows you to format the email as HTML (Still working on getting an image embedded into the message…)

    Thanks!!!

  12. @Eriq,
    To test, you can do this, tweak the max password age value in the script to a value lower than your current domain password expiry age, then set the Reminderage value to a lower value and run the script each time you change the value.
    This should allow you to see results. right away.

    Let me know if you were able to test successfully (it just works for the most part :))

    Sheen.

  13. Thanks for the awesome script – this will really help me to keep my remote users in-line. I have a couple questions though…

    First, how can I test to make sure this is working. The logs look right, it shows the usernames and when the password was last changed, but it doesn’t tell me which ones it sent an email to? Unless I have users whose passwords expire in EXACTLY 3, 6, or 9 days – how can I test???

    Second, is it possible to set it to fire an email when the password has already expired? If-so, I could make a 2nd script/task that would email them instructions on how to reset it once it has expired.

    Thanks again – I look forward to hearing back from you soon…
    ~Q~

  14. @Mike,
    Sorry for the delay in replying…
    Yes there is a simple way of getting that done -
    Instead of this:
    cscript “Path\to\the\vbs\script” > PwdExpyEmail.log
    Use:
    cscript “Path\to\the\vbs\script” > %DATE%%TIME%.log
    This will create a new log file every run with the date and time stamp of the run time.

    Sheen.

  15. This script is fantastic. Is there an easy way to modify the script or batch file to rename the file so that it doen’t get overwritten, or to just email the output to the help desk?

  16. I must have had a typo first time through. Redid the batch file and all is well.

    Thank you

  17. @Mike,
    Can you try this: cscript “Path\to\the\vbs\script” > PwdExpyEmail.log
    This should properly execute the script.
    I think right now, you are executing the script by double clicking on it.
    Do try this and let me know.

    Sheen.

  18. Thanks for the reply. I have changed the 3 to 180. I see nothing in the log, rather I get 3 screen popups for each account from Windows Script Host. The first gives the user name and email information. Second is Password last changed date and time. Third is password changed X number of days ago. Previously, I also saw a popup stating an expired user was emailed. I have to manually clear each popup.

    Thanks, Mike T

  19. @Mike,
    You will need to edit the value of PasswordExpiry=3 to a value that matches the actual ‘Max Password Age’ value for your domain.
    Could you let me know what ‘screen popups’ we are talking about?
    I just tested the script again and found that all email events are getting logged.
    Do let me know if nothing is getting logged at all.

    Sheen.

  20. Hi,

    I have run your script. It notifies users that have just changed password today (0 days). Is ther a way to modify the script to prevent this? Also, how can I turn off the screen popups? I had 2 userswho had just changed password and received email. These events were not logged.

    Thanks for any help,

    Mike T

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>