For those admins who would like to notify their users, via e-mail, that their passwords will be expiring in X days, feel free to use the following script.
I had a mixed bag of accounts that were new and old and wanted to implement a GPO that enforced Password Expiration, however, the problem I ran into was the older accounts would have been locked immediately which would have caused my phone to ring off the hook.
My solution was to notify my users via e-mail that their password was going to expire in 14 days using vbScript.
Feel free to make suggestions, but be forewarned that I am a n00b to vbScript, and programming in general, so please provide constructive criticism.
*****************
'==========================================================================
'
' NAME: PswdExpireEmail.vbs
'
' AUTHOR: David Varela, vbScript N00b
' DATE: 12/07/2007
' VERSION: 1.0
'
' COMMENT: Determine when a user's password was last changed, and if the password
' is 14 days from expiring send him/her an e-mail advising their password
' must be changed. The logic defines variables for the user's sAMAccountName,
' DistinguishedName, mail, and DisplayName values, and identifies the OU the
' user is contained in. If the user does not have an e-mail address, their
' supervisor, identified by the OU the user exists in, will be sent an e-mail
' regarding the user's password expiration status. If the user does not change
' their password before the day it is set to expire, their account will be set
' to change their password on the day it is set to expire. If the user does
' not change their password on or before the date it is set to expire, the
' account will be disabled.
'
'==========================================================================
On Error Resume Next
strComputer = "."
'''''''''''''''''''''''''''
Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
'Create an Array of sAMAccountName's that you wish to exclude from being evaluated by this script
'''''''''''''''''''''''''''
Dim UserArray(1) 'Remember to change the value in parenthesis to equal the total Qty of items in the array
UserArray(0) = "GAK" 'Replace GAK with the sAMAccountName of the user to exclude. Increment the value in parenthesis for each
'item in the Array
'''''''''''''''''''''''''''
'ADO is used to access Active Directory. This should not be changed
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://rootDSE")
DomainString = objRootDSE.Get("dnsHostName")
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'''''''''''''''''''''''''''
'The SELECT statement retrieves each user's DisplayName, Mail, DistinguishedName, and sAMAccountName values for all users in
'Active Directory
objCommand.CommandText = "SELECT DisplayName,mail,DistinguishedName,sAMAccountName FROM 'LDAP://dc=<DOMAIN>,dc=<COM>'" & _
" WHERE objectCategory='user'" 'Be sure to specify your Domain information in DC=<>,DC=<>
Set objRecordSet = objCommand.Execute
'The meat of the logic is defined in the following DO Loop.
'This loop will execute for each user in AD, except for those specified in UserArray
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strUser = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("DistinguishedName").Value
strMail = objRecordSet.Fields("mail").Value
strFullName = objRecordSet.Fields("DisplayName").Value
arrPath = Split(strDN, ",")
intLength = Len(arrPath(1))
intNameLength = intLength - 3
strOU = Right(arrPath(1), intNameLength)
i = 1
'This is where the user will be checked against UserArray.
'If the user exists in the array, flag it for exclusion
For Each b In UserArray
If b = strUser Then
i = 0
End If
Next
'If the user is not in UserArray, perform the Password Expiration check
If i <> 0 Then
For Each objItem in strUser
Set objUserLDAP = GetObject ("LDAP://" & strDN & "")
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then 'If the user's password is set to not expire
'then do not do anything further
WScript.Echo "The password for user " & strUser & " was set to not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged 'The latest date the user changed her/his password
strDays = DateDiff("d", Now, "12/21/2007") 'Specify which date you wish to evaluate against
str90Days = Int(Now + strDays - 90) 'Determines what date is 90 days from the date specified above
If DateValue(dtmValue) < str90Days And strDays > 0 Then 'If the user's password will expire on
'the date you specified AND today is
'before that date, send the user an
'e-mail.
If strMail <> "" Then
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = "" & strMail & ""
objEmail.Subject = "Password about to expire."
objEmail.Textbody = "Your password will expire in " & strDays & " days. Please change your" & _
" password before December 21st to avoid being restricted from the Domain. If you have" & _
" any questions please contact the IT Department."
objEmail.Send
Else 'If the user does not have an e-mail address, send an e-mail to their supervisor
If strOU = "<OU Name1>" Then
strTo = "<Supervisor1 e-mail address>"
ElseIf strOU = "<OU Name2>" Then
strTo = "<Supervisor2 e-mail address>"
Else
strTo = "<IT e-mail address>"
End If
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = strTo
objEmail.Subject = "Password about to expire for " & strFullName & "."
objEmail.Textbody = "" & strFullName & "'s password will expire in " & strDays & " days." & _
" Please advise her/him that she/he must change her/his password before December 21st to" & _
" avoid being restricted from the Domain. If you have any questions please contact the" & _
" IT Department."
objEmail.Send
End If
ElseIf DateValue(dtmValue) < str90Days And strDays = 0 Then 'If the user's password will expire
'at the end of the day today, set their
'account to change the password on next logon.
objUserLDAP.Put "PwdLastSet", 0
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been set to change password upon next logon."
ElseIf DateValue(dtmValue) < str90Days And strDay < 0 Then 'If the user's password was set to expire
'on the date specified and that date has passed,
'disable the user's account.
objUserLDAP.AccountExpirationDate = strYstrDay
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been disabled due to expired password."
Else 'If this user's password has been changed recently, do not do anything
WScript.Echo "" & strFullName & "'s password was last changed on " & DateValue(dtmValue)
End If
End If
Next
End If
objRecordSet.MoveNext
Loop
Set objConnection = Nothing
Set objCommand = Nothing
Set objCommand.ActiveConnection = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
Set objUserLDAP = Nothing
Set objEmail = Nothing
WScript.Quit
I had a mixed bag of accounts that were new and old and wanted to implement a GPO that enforced Password Expiration, however, the problem I ran into was the older accounts would have been locked immediately which would have caused my phone to ring off the hook.
My solution was to notify my users via e-mail that their password was going to expire in 14 days using vbScript.
Feel free to make suggestions, but be forewarned that I am a n00b to vbScript, and programming in general, so please provide constructive criticism.
*****************
'==========================================================================
'
' NAME: PswdExpireEmail.vbs
'
' AUTHOR: David Varela, vbScript N00b
' DATE: 12/07/2007
' VERSION: 1.0
'
' COMMENT: Determine when a user's password was last changed, and if the password
' is 14 days from expiring send him/her an e-mail advising their password
' must be changed. The logic defines variables for the user's sAMAccountName,
' DistinguishedName, mail, and DisplayName values, and identifies the OU the
' user is contained in. If the user does not have an e-mail address, their
' supervisor, identified by the OU the user exists in, will be sent an e-mail
' regarding the user's password expiration status. If the user does not change
' their password before the day it is set to expire, their account will be set
' to change their password on the day it is set to expire. If the user does
' not change their password on or before the date it is set to expire, the
' account will be disabled.
'
'==========================================================================
On Error Resume Next
strComputer = "."
'''''''''''''''''''''''''''
Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
'Create an Array of sAMAccountName's that you wish to exclude from being evaluated by this script
'''''''''''''''''''''''''''
Dim UserArray(1) 'Remember to change the value in parenthesis to equal the total Qty of items in the array
UserArray(0) = "GAK" 'Replace GAK with the sAMAccountName of the user to exclude. Increment the value in parenthesis for each
'item in the Array
'''''''''''''''''''''''''''
'ADO is used to access Active Directory. This should not be changed
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://rootDSE")
DomainString = objRootDSE.Get("dnsHostName")
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'''''''''''''''''''''''''''
'The SELECT statement retrieves each user's DisplayName, Mail, DistinguishedName, and sAMAccountName values for all users in
'Active Directory
objCommand.CommandText = "SELECT DisplayName,mail,DistinguishedName,sAMAccountName FROM 'LDAP://dc=<DOMAIN>,dc=<COM>'" & _
" WHERE objectCategory='user'" 'Be sure to specify your Domain information in DC=<>,DC=<>
Set objRecordSet = objCommand.Execute
'The meat of the logic is defined in the following DO Loop.
'This loop will execute for each user in AD, except for those specified in UserArray
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strUser = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("DistinguishedName").Value
strMail = objRecordSet.Fields("mail").Value
strFullName = objRecordSet.Fields("DisplayName").Value
arrPath = Split(strDN, ",")
intLength = Len(arrPath(1))
intNameLength = intLength - 3
strOU = Right(arrPath(1), intNameLength)
i = 1
'This is where the user will be checked against UserArray.
'If the user exists in the array, flag it for exclusion
For Each b In UserArray
If b = strUser Then
i = 0
End If
Next
'If the user is not in UserArray, perform the Password Expiration check
If i <> 0 Then
For Each objItem in strUser
Set objUserLDAP = GetObject ("LDAP://" & strDN & "")
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then 'If the user's password is set to not expire
'then do not do anything further
WScript.Echo "The password for user " & strUser & " was set to not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged 'The latest date the user changed her/his password
strDays = DateDiff("d", Now, "12/21/2007") 'Specify which date you wish to evaluate against
str90Days = Int(Now + strDays - 90) 'Determines what date is 90 days from the date specified above
If DateValue(dtmValue) < str90Days And strDays > 0 Then 'If the user's password will expire on
'the date you specified AND today is
'before that date, send the user an
'e-mail.
If strMail <> "" Then
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = "" & strMail & ""
objEmail.Subject = "Password about to expire."
objEmail.Textbody = "Your password will expire in " & strDays & " days. Please change your" & _
" password before December 21st to avoid being restricted from the Domain. If you have" & _
" any questions please contact the IT Department."
objEmail.Send
Else 'If the user does not have an e-mail address, send an e-mail to their supervisor
If strOU = "<OU Name1>" Then
strTo = "<Supervisor1 e-mail address>"
ElseIf strOU = "<OU Name2>" Then
strTo = "<Supervisor2 e-mail address>"
Else
strTo = "<IT e-mail address>"
End If
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = strTo
objEmail.Subject = "Password about to expire for " & strFullName & "."
objEmail.Textbody = "" & strFullName & "'s password will expire in " & strDays & " days." & _
" Please advise her/him that she/he must change her/his password before December 21st to" & _
" avoid being restricted from the Domain. If you have any questions please contact the" & _
" IT Department."
objEmail.Send
End If
ElseIf DateValue(dtmValue) < str90Days And strDays = 0 Then 'If the user's password will expire
'at the end of the day today, set their
'account to change the password on next logon.
objUserLDAP.Put "PwdLastSet", 0
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been set to change password upon next logon."
ElseIf DateValue(dtmValue) < str90Days And strDay < 0 Then 'If the user's password was set to expire
'on the date specified and that date has passed,
'disable the user's account.
objUserLDAP.AccountExpirationDate = strYstrDay
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been disabled due to expired password."
Else 'If this user's password has been changed recently, do not do anything
WScript.Echo "" & strFullName & "'s password was last changed on " & DateValue(dtmValue)
End If
End If
Next
End If
objRecordSet.MoveNext
Loop
Set objConnection = Nothing
Set objCommand = Nothing
Set objCommand.ActiveConnection = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
Set objUserLDAP = Nothing
Set objEmail = Nothing
WScript.Quit
