Warning users about password expiration and account activities

Hello world!
Faced once with a situation when on 1 January, many users have expired accounts and they were blocked. Accordingly are unable to work, a flurry of phone calls starting the morning of the 1st number. It was decided in advance to warn users about expiration of the password and account activities via email. With a copy of the list of warned users of the administrator.
Scripts implementation under the cut.

First you need to set ActiveRoles Management Shell for Active Directory.

the

Script after a password


The script warns you that the password expired, normal for 7 days, for 3 days and on the day of expiration. Top managers warned 5 days before the expiry.

the 
Add-PSSnapin Quest.ActiveRoles.ADManagement 

function send-eMail($to, $PasswordAge, $Days) {
if ($PasswordAge -eq 0) {
$subject = "your password expires today."
}  else  {
$subject = "your password expires in $PasswordAge $Days."
}
write-host $to $PasswordAge
$Enc = [Text.Encoding]::UTF8

Send-MailMessage -to $to `
-from "IT<it@domain.com>" `
-the subject "Attention! $subject" `
-body "<span style='font: 11 PT serif;'>Good day.<br/>
$subject<br />
Recommended to change the password after the expired password You will not be able to access the information resources of the company.<br />
How to change the password is on the portal under "<a href='http://portal/Pages/Instructions.aspx'>Instructions</a>".<br />" `
-priority High `
-dno onFailure `
-smtpServer MAILSERVER `
-BodyAsHtm `
-Encoding $Enc
}

function send-eMail-log($log, $to, $subject) {
$Enc = [Text.Encoding]::UTF8
$body = "<span style='font: 10pt tahoma;'>$log</span>"
Send-MailMessage -to $to `
-from "IT<it@domain.com>" `
-subject $subject `
-body $body `
-smtpServer MAILSERVER `
-BodyAsHtm `
-Encoding $Enc
}

function get-dayCut($PasswordAge) {
$Days = "days"
if ($PasswordAge -le 20 -and $PasswordAge -ge 5) {
$Days = "days"
}
if ($PasswordAge -le 4 -and $PasswordAge -ge 2) {
$Days = "day"
}
if ($PasswordAge -eq 1 -or $PasswordAge -eq 21) {
$Days = "day"
}
return $Days
}
# We have 45 days:
$PasswordAgeMax = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days 
write-host "Password expires: "$PasswordAgeMax;
$log = ""
$logBoss = ""

# -- 7, 3 and 0 days ---------------------------------------------------------------------------------------------
Get-QADUser -SizeLimit 0 | 
Where-Object {$_.AccountIsDisabled -eq $False} |
Where-Object {$_.PasswordNeverExpires -eq $False} |
% {
$PasswordAge = $PasswordAgeMax - ($_.passwordage.days) - 1
$PasswordAge = [int]$PasswordAge 

if ($_.parentContainer -ne "domain/General/User") {
if ($PasswordAge -eq 7 -or $PasswordAge -eq 3 -or $PasswordAge -eq 0) {
$Days = get-dayCut $PasswordAge
$addParam = $_.Title + ", " + $_.Department
if (($_.mail).Length-gt 0) {
send-eMail $_.mail $PasswordAge $Days 
$addParam = $addParam + ", " + $_.mail
} 
if ($PasswordAge -le 1) {
$log = $log + "<span style='color:red;'>" + $_.DisplayName + ", "+ $PasswordAge + " (" + $addParam + ")</span><br />"
} else {
$log = $log + $_.DisplayName + ", "+ $PasswordAge + " (" + $addParam + ")<br />"
}
}
} else {
$Days = get-dayCut $PasswordAge;
write-host $_.DisplayName": "$PasswordAge;
if ($PasswordAge -le 5 -and $PasswordAge -ge 0) {
send-eMail $_.mail $PasswordAge $Days
}
if ($PasswordAge -le 0) {
$logBoss = $logBoss + $_.DisplayName + ", password has expired (" + $_.mail + ", " + $_.telephoneNumber + ")<br />"
} elseif ($PasswordAge -le 5 -and $PasswordAge -gt 0) {
$logBoss = $logBoss + $_.DisplayName + ", your password expires in "+ $PasswordAge + ""+ $Days + " (" + $_.mail + ", " + $_.telephoneNumber + ")<br />"
}
}
}

if ($log.Length-gt 0) {
send-eMail-log $log "IT<it@domain.com>" "Journal password expiration"
} 

if ($logBoss.Length-gt 0) {
"admin1", "admin2", "admin3" |
% {send-eMail-log $logBoss "$_@domain.com" "Journal password expiration to the Directors"}
}


the

the Script is the expiration of the account


The script warns the user about the expired account for 30, 20, 14, 7, 5 days.

the 
Add-PSSnapin Quest.ActiveRoles.ADManagement

function send-eMail($to,$lsDayCount) {
write-host $to $lsDayCount;
$Enc = [Text.Encoding]::UTF8
Send-MailMessage -to $to `
-from "IT<it@domain.com>" `
-the subject "Attention! Your account will expire in $days lsDayCount" `
-body "<span style='font: 12pt serif;'>Good day.<br/>
Expiration your account will expire in $lsDayCount days.</span>" `
-priority High `
-dno onFailure `
-smtpServer MAILSERVER `
-BodyAsHtm `
-Encoding $Enc
}

function send-eMail-log($log, $to, $subject) {
$Enc = [Text.Encoding]::UTF8
$body = "<span style='font: 10pt tahoma;'>" + $log + "</span>"
#-Cc "admin1@domain.com" `
Send-MailMessage -to $to `
-from "it@domain.com" `
-subject $subject `
-body $body `
-smtpServer MAILSERVER `
-BodyAsHtm `
-Encoding $Enc
}

function check-null($lsPar, $lbComma) {
$lsTmp = $lsPar;
if ($lsPar.Length-gt 0) {
if ($lbComma) {
$lsTmp = $lsPar + ", ";
}
} else {
$lsTmp = "";
}
return $lsTmp;
}

# -- 5, 7, 14, 20, 30 days -------------------------------------------------------------------------------------

$targetdate7 = ((get-date).AddDays(7)).ToShortDateString();
$targetdate14 = ((get-date).AddDays(14)).ToShortDateString();
$targetdate20 = ((get-date).AddDays(20)).ToShortDateString();
$targetdate30 = ((get-date).AddDays(30)).ToShortDateString();

$gLog = "";
$gLog5 = "";
$gLog7 = "";
$gLog14 = "";
$gLog20 = "";
$gLog30 = "";

write-host $targetdate5 $targetdate7 $targetdate14 $targetdate20 $targetdate30;

Get-QADUser -SizeLimit 0 | 
Where-Object {$_.AccountExpires -ne $null} |
Where-Object {$_.AccountIsDisabled -eq $False} |
% {
$gObjUser = $_;
$gsUserOpt = "";

5,7,14,20,30 | % {
$targetdate = ((get-date).AddDays($_)).ToShortDateString();

if (($gObjUser.AccountExpires).ToShortDateString() -eq $targetdate) {
write-host $gObjUser.DisplayName"`t"($gObjUser.AccountExpires).ToShortDateString();
if (($gObjUser.mail).Length-gt 0) {
send-eMail $gObjUser.mail $_;
}
$gsUserOpt = (check-null $gObjUser.Title $TRUE) + 
(check-null $gObjUser.Department $TRUE) + 
(check-null $gObjUser.mail $TRUE) + 
(check-null $gObjUser.telephoneNumber $FALSE);
if ($gsUserOpt.Length-gt 0) {
if ($gsUserOpt.substring($gsUserOpt.length - 2, 2) -eq"") {
$gsUserOpt = $gsUserOpt.substring(0, $gsUserOpt.length - 2);
}
$gsUserOpt = " (" + $gsUserOpt +")";
}
$gsUserOpt = $gObjUser.DisplayName + $gsUserOpt +"<br />";
switch ($_) {
5 {$gLog5 = $gLog5 + $gsUserOpt; break}
7 {$gLog7 = $gLog7 + $gsUserOpt; break}
14 {$gLog14 = $gLog14 + $gsUserOpt; break}
20 {$gLog20 = $gLog20 + $gsUserOpt; break}
30 {$gLog30 = $gLog30 + $gsUserOpt; break}
}
}
}
}


if ($gLog5.Length-gt 0) {
$gLog = "<strong>5 days, expires $targetdate5</strong><br />" + $gLog5 + "<br />"} 
if ($gLog7.Length-gt 0) {
$gLog = $gLog + "<strong>7 days, expires $targetdate7</strong><br />" + $gLog7 + "<br />"} 
if ($gLog14.Length-gt 0) {
$gLog = $gLog + "<strong>14 days, expires $targetdate14</strong><br />" + $gLog14 + "<br />"} 
if ($gLog20.Length-gt 0) {
$gLog = $gLog + "<strong>20 days to expire $targetdate20</strong><br />" + $gLog20 + "<br />"} 
if ($gLog30.Length-gt 0) {
$gLog = $gLog + "<strong>30 days expire $targetdate30</strong><br />" + $gLog30 + "<br />"} 

if ($gLog.Length-gt 0) {
"admin1", "admin2", "admin3" |
% {send-eMail-log $gLog "$_@domain.com" "Journal of the expiration of accounts"}
}


Warn the user in advance. Comments are welcome.
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Templates ESKD and GOST 7.32 for Lyx 1.6.x

Изображение
for more than six months I use a word processor Lyx. Built-in templates is more than enough to write lecture notes, prepare for seminars and to do simple reports for laboratory work. But last semester I had to make two course of the project in accordance with the requirements ESKD. I have begun work in Lyx, but without special templates of documents, my reports in the editor looked like this: A little work, a little reading of the document "Customizing LyX: Features for the Advanced User" and it turned out where the beam: You can use immediately. If you have experience of working in Lyx, problems will not arise. Just in case the attached sample documents. Description of how to make such templates are not yet doing. Someone will ask — will tell. ESKD Screenshot menu select unit type: Group "sections and subsections" appeared due to the fact that the document can be sections with sections without subsections — for their handling of para...
Далее...

Monitoring PostgreSQL + php-fpm + nginx + disk using Zabbix

Изображение
a Lot of information in the network according to Zabbix, and a lot of bespoke templates, I want to introduce to the audience his modification. Zabbix is a very convenient and flexible monitoring tool. Want a hundred monitor, I want a thousand stations, and do not want to — watch a single server, take the cream in all sections. I would not mind to give to github, if anyone collects similar. It so happened that we decided to put on the hosting database wrapper php-fpm+nginx. As the database is postgres. Thoughts to collect data on the machine was before the purchase of hosting is needed, this is useful! Magic kick up the backside to the implementation of the system gave the brakes a hard drive on our VDS stations at the beginning of the script every minute, put the time and measured by the speed in the file, and then build graphs in Excel to compare to as it was/became, take quantitative statistics. And this is just one option! And suddenly the fault is not VDS, and our a...
Далее...

Custom table in MODx Revolution

Изображение
In this article we will examine the following questions: the Creating custom tables for MODx Revolution. the Generation of XML schema and php files classes for xPDO. the Work with custom tables. One of the biggest difficulties in migrating from Evolution to Revolution — an xPDO IMHO. After all, as was previously just got into the muscle via phpMyAdmin, created a sign, and work with it, sending pure SQL queries through $modx->db. Now any changes to the database do not much bother $modx except full drop tables, etc. As linked xPDO and MODx (or rather $modx), I wrote here . Consider the difficulties in working with custom tables in MODx Revolution — a considerable obstacle for many programmers. But really, it's not so difficult. All of the following, the algorithm in three words: the via phpMyAdmin (or other convenient tool to use) to create the needed tables the Using the attached code is generated for the necessary work xPDO files the Using the $...
Далее...