In orgnazations that expire Active Directory user accounts (e.g. contractors, other temporary users), it is helpful to proactively notify the managers of those users ahead of the actual account expirations. There are various software solutions that can be purchased to accomplish this, but this script offers a convenient and free alternative.
Clone this repository to the server where you want the script to run:
git clone https://github.com/griffeth-barker/ADAccountExpiryReminder.git
In the Begin block of the script, there is a maintenance block of variables that can be customized. It looks like this:
## MAINTENANCE BLOCK ####################################
# Update these variables to fit your organization's needs
$orgSmtpServer = "smtp.domain.tld"
$orgHelpdeskEmail = "[email protected]"
$logDir = "D:\Tasks\ADAccountExpiryReminder\log"
## END MAINTENANCE BLOCK ################################These variables can be updated based on desired customization. There is also an HTML body section in the script that can be customized. Otherwise, the rest of the script should not require modification unless you have drastically different needs.
This script is intended to run via Windows Task Scheduler; create a schedule task in Windows Task Scheduler to run the script at the desired interval.
This automation can be monitored by monitoring platforms (e.g. Zabbix) via the included statusCode file. The contents is expected to be 0, while an exception will produce a 1.
Here is a brief explanation of what the script does:
- Parameter definition for
-TimeSpanwhich is how we determine how far out from an account expiration we want to send a reminder - Begin
- Maintenance block for customizable variables
- Declare log directory and log file
- Start transcript to record actions during script run
- Check for the ActiveDirectory PowerShell module and throw an exception and exit if it is not able to be imported
- Create a datatable for staging the general expiring account metadata
- Process
- Get all the users whose account is expiring within the
-TimeSpanpassed to the script - Loop through those users and for each of them:
- Determine the user's email address
- Determine the user's manager's email address
- Determine how many days until account expiration
- Add the above metadata to the staging datatable
- Get list of unique managers that need to be notified
- Loop through each of the managers needing notified and for each of them:
- Get the expiring accounts of which they are the manager from the staging datatable
- Generate HTML email body including table of the expiring accounts
- Send email notification message to the manager with the expiring accounts
- Get all the users whose account is expiring within the
- End
- Check log directory for logs generated by this script that are older than 7 days and clean them up
- Stop the transcript
Please ⭐star this repository if it is helpful. Constructive feedback is always welcome, as are pull requests. Feel free to open an issue on the repository if needed or message me on Signal.