PowerShell 密码过期通知脚本
PowerShell Password expiration notification script
说一下具体流程,有一个OU,有账号,需要选择一年以上密码没有改过的账号,发邮件给这个管理员帐户。目前我只实现了一个一年多密码没有改过的用户帐号的选择,
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $true} -SearchBase "OU=SС,DC=domain,DC=com" -Properties Manager, PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-365)} | select Name,SamAccountName,PasswordLastSet, Manager
但是我如何带客户经理并向经理发送带有名称和密码期限的报告?
可以不设置 ADUser 的 Manager 属性,否则它将包含管理员的 DistinguishedName。
这意味着如果您需要该管理器的更多属性,例如 EmailAddress,您需要执行另一个 Get-ADUser 来获取这些属性。
您只需一个 ForEach-Object 循环就可以在一组 PSCustomObject 中收集您需要的所有内容,之后所需要做的就是对经理的电子邮件地址进行分组并开始发送格式良好的邮件。
类似于:
$refDate = (Get-Date).AddDays(-365).Date # set to midnight
$filter = "Enabled -eq 'True' -and PasswordNeverExpires -eq 'True'"
$users = Get-ADUser -Filter $filter -SearchBase "OU=SС,DC=domain,DC=com" -Properties EmailAddress, Manager, PasswordLastSet |
Where-Object {$_.PasswordLastSet -lt $refDate} |
ForEach-Object {
# get the Manager details we need
$manager = Get-ADUser -Identity $_.Manager -Properties Name, EmailAddress
$_ | Select-Object Name,SamAccountName,PasswordLastSet, EmailAddress,
@{Name = 'ManagerName'; Expression = {$manager.Name}},
@{Name = 'ManagerEmail'; Expression = {$manager.EmailAddress}}
}
# you now have an array of user objects with properties you need to create the email(s)
# create a Here-String with the wanted style for the email
$style = @"
<style>
body, table {font-family: sans-serif; font-size: 10pt; color: #000000;}
table {border: 1px solid black; border-collapse: collapse;}
th {border: 1px solid black; background: #dddddd; padding: 3px;}
td {border: 1px solid black; padding: 3px;}
</style>
"@
# create a Here-String template to use for mailing the managers
# this uses 3 placeholders to fill in (style, manager name, and the table of expiring user accounts)
$mailTemplate = @"
<html><head>{0}</head><body>
Dear {1},<br /><br />
The below users have not changed their password for more than a year.<br />
{2}
<br />
As their manager, please tell them to do so within the next 14 days.
<br /><br />
Thank you.
</body></html>
"@
# first filter out the users that do have a manager and group by the 'ManagerEmail' property
$users | Where-Object { ![string]::IsNullOrWhiteSpace($_.ManagerEmail) } | Group-Object -Property ManagerEmail | ForEach-Object {
$mgrName = $_.Group[0].ManagerName
$mgrEmail = $_.Name # the Group's Name is what we grouped on == ManagerEmail. Can also use $_.Group[0].ManagerEmail
# select the user properties from the group, and convert it into a nice HTML table
$table = ($_.Group | Select-Object * -ExcludeProperty 'Manager*' | ConvertTo-Html -As Table -Fragment) -join [environment]::NewLine
# create a Hashtable for splatting the parameters to the Send-MailMessage cmdlet
$mailParams = @{
To = $mgrEmail
From = 'IT@yourdomain.com'
Subject = 'Users that have not changed their password for more than a year'
Body = $mailTemplate -f $style, $mgrName, $table # fill in the placeholders of the mail template
BodyAsHtml = $true
Priority = 'High'
SmtpServer = 'smtp.yourdomain.com'
# more parameters go here
}
# send this manager an email with a table of users that report to him/her
Send-MailMessage @mailParams
}
# next filter out users that have no manager listed and display that list for you to take action on
$noManager = @($users | Where-Object { [string]::IsNullOrWhiteSpace($_.ManagerEmail) })
if ($noManager.Count) {
# output on screen
Write-Host "These users have no manager.."
$noManager | Format-Table -AutoSize
# if you like, save to CSV file
$noManager | Export-Csv -Path 'Path\To\UsersWithoutManager.csv'
}
说一下具体流程,有一个OU,有账号,需要选择一年以上密码没有改过的账号,发邮件给这个管理员帐户。目前我只实现了一个一年多密码没有改过的用户帐号的选择,
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $true} -SearchBase "OU=SС,DC=domain,DC=com" -Properties Manager, PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-365)} | select Name,SamAccountName,PasswordLastSet, Manager
但是我如何带客户经理并向经理发送带有名称和密码期限的报告?
可以不设置 ADUser 的 Manager 属性,否则它将包含管理员的 DistinguishedName。
这意味着如果您需要该管理器的更多属性,例如 EmailAddress,您需要执行另一个 Get-ADUser 来获取这些属性。
您只需一个 ForEach-Object 循环就可以在一组 PSCustomObject 中收集您需要的所有内容,之后所需要做的就是对经理的电子邮件地址进行分组并开始发送格式良好的邮件。
类似于:
$refDate = (Get-Date).AddDays(-365).Date # set to midnight
$filter = "Enabled -eq 'True' -and PasswordNeverExpires -eq 'True'"
$users = Get-ADUser -Filter $filter -SearchBase "OU=SС,DC=domain,DC=com" -Properties EmailAddress, Manager, PasswordLastSet |
Where-Object {$_.PasswordLastSet -lt $refDate} |
ForEach-Object {
# get the Manager details we need
$manager = Get-ADUser -Identity $_.Manager -Properties Name, EmailAddress
$_ | Select-Object Name,SamAccountName,PasswordLastSet, EmailAddress,
@{Name = 'ManagerName'; Expression = {$manager.Name}},
@{Name = 'ManagerEmail'; Expression = {$manager.EmailAddress}}
}
# you now have an array of user objects with properties you need to create the email(s)
# create a Here-String with the wanted style for the email
$style = @"
<style>
body, table {font-family: sans-serif; font-size: 10pt; color: #000000;}
table {border: 1px solid black; border-collapse: collapse;}
th {border: 1px solid black; background: #dddddd; padding: 3px;}
td {border: 1px solid black; padding: 3px;}
</style>
"@
# create a Here-String template to use for mailing the managers
# this uses 3 placeholders to fill in (style, manager name, and the table of expiring user accounts)
$mailTemplate = @"
<html><head>{0}</head><body>
Dear {1},<br /><br />
The below users have not changed their password for more than a year.<br />
{2}
<br />
As their manager, please tell them to do so within the next 14 days.
<br /><br />
Thank you.
</body></html>
"@
# first filter out the users that do have a manager and group by the 'ManagerEmail' property
$users | Where-Object { ![string]::IsNullOrWhiteSpace($_.ManagerEmail) } | Group-Object -Property ManagerEmail | ForEach-Object {
$mgrName = $_.Group[0].ManagerName
$mgrEmail = $_.Name # the Group's Name is what we grouped on == ManagerEmail. Can also use $_.Group[0].ManagerEmail
# select the user properties from the group, and convert it into a nice HTML table
$table = ($_.Group | Select-Object * -ExcludeProperty 'Manager*' | ConvertTo-Html -As Table -Fragment) -join [environment]::NewLine
# create a Hashtable for splatting the parameters to the Send-MailMessage cmdlet
$mailParams = @{
To = $mgrEmail
From = 'IT@yourdomain.com'
Subject = 'Users that have not changed their password for more than a year'
Body = $mailTemplate -f $style, $mgrName, $table # fill in the placeholders of the mail template
BodyAsHtml = $true
Priority = 'High'
SmtpServer = 'smtp.yourdomain.com'
# more parameters go here
}
# send this manager an email with a table of users that report to him/her
Send-MailMessage @mailParams
}
# next filter out users that have no manager listed and display that list for you to take action on
$noManager = @($users | Where-Object { [string]::IsNullOrWhiteSpace($_.ManagerEmail) })
if ($noManager.Count) {
# output on screen
Write-Host "These users have no manager.."
$noManager | Format-Table -AutoSize
# if you like, save to CSV file
$noManager | Export-Csv -Path 'Path\To\UsersWithoutManager.csv'
}