PowerShell AD用户密码过期脚本更新版
Function LogFile ($output, $initLog){
if ($initLog -eq $True)
{
$input | out-file -filepath $output -encoding default -width 17384
}
else
{
$input | out-file -filepath $output -encoding default -width 17384 -append
}
}
function Send-Report
{
param($LogConent,$LogPath,$MailAddress)
try
{
Send-MailMessage -From "NO-Reply@contoso.com" -To $MailAddress -Subject 'Contoso Password check report' -Body $LogConent -Priority 'High' -SmtpServer mail.contoso.com -Port 25 -ErrorAction 'SilentlyContinue'
}
catch
{
$ErrorMessage = $Error.Exception.Message
Write-Host -ForegroundColor 'Red' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
}
}
#Main Code
#Import ActiveDirectory module
Import-Module ActiveDirectory
#Log initialization
$LogDate = Get-Date -Format "yyyyMMdd"
$LogPath = "C:\PasswordLogs\DomainPasswordLog$LogDate.txt"
if ((Test-Path 'C:\PasswordLogs') -eq $false)
{
New-Item -ItemType directory 'C:\PasswordLogs' | Out-Null
}
#======================================================================================
#Get MaxPasswordAge
$RootDSE = Get-ADRootDSE
$PasswordPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property maxPwdAge
$maxPwdAge = $PasswordPolicy.maxPwdAge/-864000000000
if (($maxPwdAge -eq 0) -or ($maxPwdAge -eq $null))
{
$ErrorMessage = "MaxPasswordAge is not correct"
Write-Host -ForegroundColor 'Red' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
$LogConent = Get-Content $LogPath -raw
Send-Report -LogConent $LogConent -LogPath $LogPath -MailAddress 'abc@contoso.com'
exit
}
#======================================================================================
#Check userlist
#我这里的用户列表是写在一个txt文档里的,这是因为在我的环境中大部分用户是不需要这种邮件提醒的,他们的账户会由我们负责维护
#如果需要在AD里检索需要检查的用户的话可以直接这样写$userList=Get-ADUser -Filter *|Select-Object -ExpandProperty SamAccountName
#这样的话下边这段就不需要了
$userList = "C:\Users\abc\UserList.txt"
if ((Test-Path $UserList) -eq $false)
{
$ErrorMessage = "Can't find userList.txt"
Write-Host -ForegroundColor 'Red' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
$LogConent = Get-Content $LogPath -raw
Send-Report -LogConent $LogConent -LogPath $LogPath -MailAddress 'abc@contoso.com'
exit
}
#======================================================================================
#这里如果是使用检索AD用户的方法的话可以直接写
#foreach($user in $userlist)替代get-content即可
Get-Content $UserList | %{
$name = $null
$userinfo = $null
$ExpireDate = $null
$PasswordSetDate = $null
$Today = $null
$leftDays = $null
$body = $null
$subject = $null
$IndividualPasswordPolicy = $null
$OutputMessage = $null
$name = $_
$userinfo = Get-ADUser -Identity $name -Properties *
#这里首先判断该用户信息是否存在,如果不存在直接进行记录即可
if ($userinfo -eq $null)
{
$ErrorMessage = $name + ": " + $Error.Exception.Message
Write-Host -ForegroundColor 'Red' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
}
else
{
if ($userinfo.PasswordNeverExpires -eq $true)
{
#这里记录谁的密码被设置为永久不过期了
$ErrorMessage = "$name's Password has been set to NeverExpires"
Write-Host -ForegroundColor 'Cyan' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
}
else
{
#这里会读取颗粒化密码策略的设置,它的优先级应该高于域策略的设置
$IndividualPasswordPolicy = (Get-AduserResultantPasswordPolicy $name)
if ($IndividualPasswordPolicy -ne $null)
{
$maxPwdAge = $IndividualPasswordPolicy.MaxPasswordAge.TotalDays
}
$PasswordSetDate = $userinfo.PasswordLastSet
$ExpireDate = $PasswordSetDate.AddDays($maxPwdAge)
$Today = Get-Date
#对比过期时间和今天,得出的数值就是还有多少天过期
$leftDays = (New-TimeSpan -Start $Today -End $ExpireDate).Days
if ($leftDays -lt 0)
{
$body = "
Dear $name ,
Your Password has expired!!.
Please change your Password as soon as possible so that you can work normally
Thanks,
"
$subject = "Your Password has expired!!"
$OutputMessage = "$(Get-Date -uFormat %Y%m%d-%H:%M:%S): $name's Password has expired"
Write-Output $OutputMessage | LogFile -output $LogPath
}
elseif ($leftDays -eq 1)
{
$body = "
Dear $name ,
Your Password will expire in$leftDaysDay!!.
Please change your Password as soon as possible so that you can work normally
Thanks,
"
$subject = "Your Password will expire in $leftDays day!!"
$OutputMessage = "$(Get-Date -uFormat %Y%m%d-%H:%M:%S): $name's Password will expire in $leftDays day"
Write-Output $OutputMessage | LogFile -output $LogPath
}
elseif ($leftDays -le 10)
{
$body = "
Dear $name ,
Your Password will expire in$leftDaysDays!!.
Please change your Password as soon as possible so that you can work normally
Thanks,
"
$subject = "Your Password will expire in $leftDays days"
$OutputMessage = "$(Get-Date -uFormat %Y%m%d-%H:%M:%S): $name's Password will expire in $leftDays days"
Write-Output $OutputMessage | LogFile -output $LogPath
}
else
{
$OutputMessage = "$(Get-Date -uFormat %Y%m%d-%H:%M:%S): $name's Password will expire in $leftDays days"
Write-Output $OutputMessage | LogFile -output $LogPath
}
#这里设置的是如果10天以内过期的话就会发送提醒
if ($leftDays -le 10)
{
#注意如果EmailAddress为空的话就需要自己处理如何找到邮件发送的地址了
$MailAddress = $userinfo.EmailAddress
if ($MailAddress -ne $null)
{
try
{
Send-MailMessage -From "No-Reply@contoso.com" -To $MailAddress -Subject $subject -Body $body -BodyAsHtml -Priority 'High' -SmtpServer mail.contoso.com -Port 25 -ErrorAction 'SilentlyContinue'
}
catch
{
$ErrorMessage = $Error.Exception.Message
Write-Host -ForegroundColor 'Red' "$(Get-Date -uFormat %Y%m%d-%H:%M:%S)" $ErrorMessage
("$(Get-Date -uFormat %Y%m%d-%H:%M:%S): " + $ErrorMessage) | LogFile -output $LogPath
}
}
}
}
}
}
#最后把这份报告发送给IT管理员
if ((Test-Path $LogPath) -eq $true)
{
$LogConent = Get-Content $LogPath -Raw
Send-Report -LogConent $LogConent -LogPath $LogPath -MailAddress 'it@contoso.com'
}
页:
[1]