PowerShell 密码过期通知脚本

Question

Tell me how to implement the process, there is an OU with accounts for which you need to make a selection of accounts whose password has not been changed for more than a year, and send an email to the manager of this account. At the moment, I have only implemented a selection of user accounts whose password has not been changed for more than a year,

Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $true} -SearchBase "OU=SС,DC=domain,DC=com" -Properties Manager, PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-365)} | select Name,SamAccountName,PasswordLastSet, Manager

but how do I take the account manager and send a report with the name and password period to the manager?

Answer 1

The Manager property for an ADUser can be either not set, or else it will contain the DistinguishedName of the manager.

This means that if you need more properties from that manager, like the EmailAddress, you need to perform another Get-ADUser to obtain these properties.

You can collect all you need in an array of PSCustomObjects with just one ForEach-Object loop and after that all that is needed is to group on the manager's email address and start sending out nicely formatted mails.

Something like:

$refDate = (Get-Date).AddDays(-365).Date  # set to midnight
$filter  = "Enabled -eq 'True' -and PasswordNeverExpires -eq 'True'"
$users   = Get-ADUser -Filter $filter -SearchBase "OU=SС,DC=domain,DC=com" -Properties EmailAddress, Manager, PasswordLastSet | 
    Where-Object {$_.PasswordLastSet -lt $refDate} | 
    ForEach-Object {
        # get the Manager details we need
        $manager = Get-ADUser -Identity $_.Manager -Properties Name, EmailAddress
        $_ | Select-Object Name,SamAccountName,PasswordLastSet, EmailAddress,
                            @{Name = 'ManagerName'; Expression = {$manager.Name}},
                            @{Name = 'ManagerEmail'; Expression = {$manager.EmailAddress}}
    }

# you now have an array of user objects with properties you need to create the email(s)

# create a Here-String with the wanted style for the email
$style = @"
<style>
    body, table {font-family: sans-serif; font-size: 10pt; color: #000000;}
    table {border: 1px solid black; border-collapse: collapse;}
    th {border: 1px solid black; background: #dddddd; padding: 3px;}
    td {border: 1px solid black; padding: 3px;}
</style>
"@

# create a Here-String template to use for mailing the managers
# this uses 3 placeholders to fill in (style, manager name, and the table of expiring user accounts)
$mailTemplate = @"
<html><head>{0}</head><body>
Dear {1},<br /><br />
The below users have not changed their password for more than a year.<br />
{2}
<br />
As their manager, please tell them to do so within the next 14 days.  
<br /><br />
Thank you.
</body></html>
"@

# first filter out the users that do have a manager and group by the 'ManagerEmail' property
$users | Where-Object { ![string]::IsNullOrWhiteSpace($_.ManagerEmail) } | Group-Object -Property ManagerEmail | ForEach-Object {
    $mgrName  = $_.Group[0].ManagerName
    $mgrEmail = $_.Name  # the Group's Name is what we grouped on == ManagerEmail. Can also use $_.Group[0].ManagerEmail

    # select the user properties from the group, and convert it into a nice HTML table
    $table = ($_.Group | Select-Object * -ExcludeProperty 'Manager*' | ConvertTo-Html -As Table -Fragment) -join [environment]::NewLine
    # create a Hashtable for splatting the parameters to the Send-MailMessage cmdlet
    $mailParams = @{
        To         = $mgrEmail
        From       = 'IT@yourdomain.com'
        Subject    = 'Users that have not changed their password for more than a year'
        Body       = $mailTemplate -f $style, $mgrName, $table  # fill in the placeholders of the mail template
        BodyAsHtml = $true
        Priority   = 'High'
        SmtpServer = 'smtp.yourdomain.com'
        # more parameters go here
    }
    # send this manager an email with a table of users that report to him/her
    Send-MailMessage @mailParams
}

# next filter out users that have no manager listed and display that list for you to take action on
$noManager = @($users | Where-Object { [string]::IsNullOrWhiteSpace($_.ManagerEmail) })

if ($noManager.Count) {
    # output on screen
    Write-Host "These users have no manager.."
    $noManager | Format-Table -AutoSize

    # if you like, save to CSV file
    $noManager | Export-Csv -Path 'Path\To\UsersWithoutManager.csv'
}