Start-Transcript -Path C:\System\Scripts\PasswordExpiry\Log\Transcript.txt -Append
$Date = Get-Date -Format dd-M-yyy
function Write-Log {
[CmdletBinding()]
param(
[Parameter()]
[ValidateNotNullOrEmpty()]
[string]$Message,
[Parameter()]
[ValidateNotNullOrEmpty()]
[ValidateSet('Information','Warning','Error')]
[string]$Severity = 'Information'
)
[pscustomobject]@{
Time = (Get-Date -f g)
Message = $Message
Severity = $Severity
} | Export-Csv -Path "C:\System\Scripts\PasswordExpiry\Log\LogFile_$($Date).csv" -Append -NoTypeInformation
}
# Script Mode Test or Else
# If scriptmode is test, then the recipient is set to fish.marien@contoso.com
$ScriptMode = "Test"
$Type = "HTML"
$Save = "True"
$MesTitle = "Password expiry Notification"
$SearchOU = "OU=ICT,DC=contoso,DC=com"
Write-Log -Message "$($Date) Script Started" -Severity Information
# MGGraph Connection Parameters
$TenantID = "tenantid"
$ApplicationID = "applicationid"
$ApplicationSecret = "applicationSecret"
$Link = '<a href="https://myaccount.microsoft.com">MyAccount</a>'
# Convert the client secret to a secure string
$ClientSecretPass = ConvertTo-SecureString -String $ApplicationSecret -AsPlainText -Force
Write-Log -Message "Converting Application secret to secure string" -Severity Information
# Create a credential object using the client ID and secure string
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationID, $ClientSecretPass
Write-Log -Message "Creating Cloud credentials" -Severity Information
# Connect to Microsoft Graph with Client Secret
Write-Log "Connection to Mg Graph" -Severity Information
Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential
# Gettiong Target users
Write-Log -Message "Retrieving users from OU"
$TargetUsers = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -SearchBase $SearchOU –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "Manager", "PwdLastSet", "AdminDescription" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, "Manager", "DistinguishedName"
$TargetUsersCount = ($TargetUsers | Measure-Object).Count
Write-Log -Message "Retrieved $($TargetUsersCount) users from OU: $($SearchOU)" -Severity Information
# Checking users which have a valid timestamp for Expiry date
$ValidatedUsers = $TargetUsers | Where-Object {$_.ExpiryDate -notlike "*1601*"}
$ValidatedUsersCount = ($ValidatedUsers | Measure-Object).Count
$UnvalidatedUsers = $TargetUsers | Where-Object {$_.ExpiryDate -like "*1601*"}
$UnvalidatedUsersCount = ($UnvalidatedUsers | Measure-Object).Count
Write-Log -Message "Retrieved $($UnvalidatedUsersCount) users, which are missing an ExpiryDate value. This users are not handled by the script" -Severity Warning
Write-Log -Message "Unvalidated users" -Severity Information
foreach ($obj in $UnvalidatedUsers) {
Write-Log -Message "$($Obj.Name)" -Severity Information
}
Write-Log -Message "Retrieved $($ValidatedUsersCount) users, which are subject to the script" -Severity Information
foreach ($obj in $ValidatedUsers) {
Write-Log -Message "$($Obj.Name)" -Severity Information
}
# retrieving the managers and peronalizing mail
Write-Log -Message "Getting validated users which password's will or has expired. Timeperiod = 21 days" -Severity Information
$Notify = $ValidatedUsers | Where-Object {$_.ExpiryDate -lt (Get-Date).AddDays(+21)}
Foreach ($Obj in $Notify) {
if ($Obj.expirydate -lt (get-date)) {
Write-Log -Message "The password of account $($Obj.name) has already expired" -Severity Information
# Retrieving Manager info
If ($null -eq $Obj.manager) {
Write-Log -Message "The Account $($Obj.name) has no manager value defined, wherefore a mailconnect be send" -Severity Warning
#$MesTitle = "The Password of account $($Obj.Name) has expired"
$Body =
@"
<p>Dear ServiceDesk,<br>
<br>
The password of account $($Obj.Name) has expired.<br>
The account does not have a manager specified wherefore the message is sent to the ServiceDesk.<br>
As the password has been expired, the account will no longer be able to log in.<br>
The account is located here: $($Obj.DistinguishedName)<br>
<br>
Kind Regards,<br>
<br>
ICT Systems<br></p>
"@
If ($ScriptMode -eq "Test") {
$Sender = "fish.marien@contoso.com"
$Recipient = "fish.marien@contoso.com"
}
Else {
$Sender = "ict-systems@contoso.com"
$Recipient = "servicedesk@contoso.com"
}
$Params = @{
Message = @{
Subject = $MesTitle
Body = @{
ContentType = $type
Content = $body
}
ToRecipients = @(
@{
EmailAddress = @{
Address = $recipient
}
}
)
}
SaveToSentItems = $save
}
Send-MgUserMail -UserId $Sender -BodyParameter $Params
Write-Log -Message "$($Obj.Name) has no manager defvined, wherefore the message is sent to the ServicDesk" -Severity Information
}
Else {
# Retrieving Manager
$AdManagerObj = Get-ADUser $Obj.Manager -Properties Mail
#$MesTitle = "Your Admin account's password has expired"
If ($Null -eq $Obj.AdminDescription) {
$Body =
@"
<p>Dear $($AdManagerobj.GivenName),<br>
<p><br>
<p>The password of your admin account $($Obj.Name), has expired. Therefore you will no longer be able to use this account to log on.<br>
<p>You can reset the password via $($link), by logging in with your admin credentials.<br>
<p>After modifying the account's password, you will be able to use the account agaoin.<br>
<p><br>
<p>If you feel this mail is inappropriate, or does not apply to you, please contact the service desk for assistance.<br>
<p><br>
<p>Kind Regards,<br>
<p><br>
<p>ICT Systems<br>
"@
}
Else {
$Body =
@"
<p>Dear $($AdManagerObj.GivenName),<br>
<br>
<p>The password of your account $($Obj.Name), has expired. Therefore you will no longer be able to use this account to log on.<br>
<p>Please contact the ServiceDesk, they will create a support ticket and assign it to the propper team(s).<br>
<p><br>
If you feel this mail is inappropriate, or does not apply to you, please contact the ServiceDesk for assistance.<br>
<br>
Kind Regards,<br>
<br>
ICT Systems</p>
"@
}
If ($ScriptMode -eq "Test") {
$Sender = "fish.marien@contoso.com"
$Recipient = "fish.marien@contoso.com"
}
Else {
$Sender = "ict-systems@contoso.com"
$Recipient = $AdManagerObj.mail
}
$Params = @{
Message = @{
Subject = $MesTitle
Body = @{
ContentType = $type
Content = $body
}
ToRecipients = @(
@{
EmailAddress = @{
Address = $recipient
}
}
)
}
SaveToSentItems = $save
}
Send-MgUserMail -UserId $Sender -BodyParameter $Params
Write-Log -Message "$($Obj.name) has a manager defined. The notification message was sent to $($ADManagerObj.Name)" -severity Information
}
}
Else {
# Calculating Days the password remains valid
$EndDate = $Obj.ExpiryDate
$StartDate = (Get-Date)
$DaysToGo = New-Timespan -Start $StartDate -End $EndDate
# Retrieving Manager
$AdManagerObj = Get-ADUser $Obj.Manager -Properties Mail
if ($Null -eq $Obj.AdminDescription) {
$Body =
@"
<p>Dear $($AdManagerObj.GivenName),<br>
<br>
The password of your admin account $($Obj.Name) will expire on $($Obj.ExpiryDate), which is wwithin $($DaysToGo.days) days.<br>
When the password has effectively has expired, you will no longer be able to use this account untill the password is updated.<br>
You can update the password via $Link, by logging in with your admin credentials.<br><br>
<br>
If you feel this mail is inappropriate, or does not apply to you, please contact the ServiceDesk for assistance.<br>
<br>
Kind Regards,<br>
<br>
ICT Systems</p>
"@
Write-Log -Message "Users $($Obj.Name) is synced to Entgra AD" -Severity Information
}
Else {
$Body =
@"
<p>Dear $($AdManagerObj.GivenName),<br>
<br>
<p>The password of your admin account $($Obj.Name) will expire on $($Obj.expirydate), which is wwithin $($DaysToGo.days) days.<br>
<p>When the password has effectively has expired, you will no longer be able to use this account untill the password is updated.<br>
<p>Please update your admin's account password or contact the ServiceDesk for assistance, they will create a support ticket and assign it to the propper support team(s).<br>
<p><br>
<p>If you feel this mail is inappropriate, or does not apply to you, please contact the ServiceDesk for assistance.<br>
<p><br>
<p>Kind Regards,<br>
<p><br>
<p>ICT Systems</p>
"@
Write-Log -Message "User $($Obj.Name) is not synced with Entra AD" -Severity Information
}
If ($ScriptMode -eq "Test") {
$Sender = "fish.marien@contoso.com"
$Recipient = "fish.marien@contoso.com"
}
Else {
$Sender = "ict-systems@contoso.com"
$Recipient = $AdManagerObj.mail
}
$Params = @{
Message = @{
Subject = $MesTitle
Body = @{
ContentType = $type
Content = $body
}
ToRecipients = @(
@{
EmailAddress = @{
Address = $recipient
}
}
)
}
SaveToSentItems = $save
}
Send-MgUserMail -UserId $Sender -BodyParameter $Params
Write-Log -Message "$($Obj.name) has a manager defined. The notification message was sent to $($ADManagerObj.Name)" -Severity Information
}
}
Write-Log -Message "$($Date) Script ended" -Severity Information
Stop-Transcript