Notifying Managers of Expiring Accounts

This is a nifty script I had to build. The requirements were for a manager to be notified of all accounts that were expiring so they could reply back and with an approval to extend or an instruction to remove those accounts. This powershell uses html in the email body to send a nicely formatted email.

I’ve also included a generic check for staff without manager id’s set.

I am aware that the html got stripped out of the page by wordpress, so here is the source file:
ManagerScriptSource



# Account Expiration Email to Managers
# Created By: Greg Van Den Ham      Last Edited:  4-15-2014 GV
# Script tasks:
# Notify Managers of 7 day Expiration on users with expiration tag (ie.contractors)
# Group all users expiring with manager in one email
# Ignore accounts in OU \Accounts\Disabled Accounts
# Send Daily Report to Someone

# Import the AD module and declare some variables
Import-Module ActiveDirectory

$EmailFromAddress = 'servicedesk@domain.com'
$EmailToAddress = 'servicedesk@domain.com'
$EmailServer = 'emailserver.domain.com'
$EmailSubject = 'Account Extension List'

#
#Function to get last login time of user
#
function Get-ADUserLastLogon([string]$userName)
{
  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $time = 0
  foreach($dc in $dcs)
  { 
    $hostname = $dc.HostName
    $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon 
    if($user.LastLogon -gt $time) 
    {
      $time = $user.LastLogon
    }
  }
  $dt = [DateTime]::FromFileTime($time)
  #Write-Host $username "last logged on at:" $dt 
  return $dt
  
  }

# Find all managers and check each manager's employees for expiration
Get-ADUser -Filter * -Properties DirectReports,EmailAddress | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach {

    $body = @()
	$htmlbody = @()
	$finalhtmlbody = @()
	$tablebits = @()
    
    If ($_.DirectReports) {

	#Debug
	#Write-host "In if user has direct reports - lookup next"
	#End Debug
    
    $managerEmailAddress = $_.EmailAddress

	#Debug
	#Write-host "Manager is : $managerEmailAddress"
	#End Debug
	
        $_.DirectReports | ForEach {

		#Debug
		#Write-host "direct report : $_.DirectReports"
		#End Debug
		
            $userDetails = Get-ADUser $_ -Properties AccountExpirationDate | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts,*' }

			#Debug
			#$ExpirationDateDebug=(Get-ADUser $_ -Properties 'AccountExpirationDate').AccountExpirationDate
			#Write-host "Expiration lookup complete, date is : $ExpirationDateDebug"
			#End Debug
			
            If ( $userDetails.AccountExpirationDate ) {

			#Debug
			#Write-host "In if user has expiration date set"
			#End Debug
			
# Debug
#   Set addDays to 30 instead of 8 to guarantee debug test results
# End Debug			
			
                If ( $userDetails.AccountExpirationDate -lt (Get-Date).AddDays(8) ) {

                    $sendEmail = $true
					#Get Last Logon date 
					$lastloggedon = Get-ADUserLastLogon -UserName $userDetails.SamAccountName
					
					#Debug
					#Write-host "In if accountexpiration less than get-date + 8"
					#Write-host "Direct Reports : $userDetails.DirectReports"
					#Write-host "userdetails : $userDetails.Name $userDetails.LastName"
					#Write-host "ExpirationDate : $userDetails.AccountExpirationDate"
					#End Debug
					
                    $tablebits += '' 
					$tablebits += $userDetails.SamAccountName 
					$tablebits += ""
					$tablebits += $userDetails.Name
					$tablebits += ""
					$tablebits += $userDetails.AccountExpirationDate 
					$tablebits += ""
					$tablebits += $lastloggedon	
					#Add Blank Table Row for Expiration Extension
					$tablebits += ""                    
                  
					$body += $tablebits 
					$tablebits =@()

                }
            }

        }
	# Debug
	#Write-host "Sendemail : $sendEmail"
	#Write-host "Body of email : $body"
	# End Debug
    }

    If ($sendEmail) {
	

		$style = "< style>BODY{font-family: Arial; font-size: 10pt;}"
		$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
		$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
		$style = $style + "TD{border: 1px solid black; padding: 5px; }"
		$style = $style + "< /style>"
		
		$tablestart = ""
		$tablestart += ""

		$tableend = "
Username" $tablestart += "Full Name" $tablestart += "Account Expiration Date" $tablestart += "Last Logon" $tablestart += "Extend?

" $htmlbody = "" $htmlbody += "" #$htmlbody += $style $htmlbody += " " $htmlbody += "

Notice - Your Staff Account(s) Are Expiring


The following contractor account(s) will expire in one week or have already expired. Please reply or forward this email to sevicedesk@domain.com.

For each Account indicate Yes to extend or No to remove access from each account.

If there is just one Account listed, you may reply with just a Yes or No to this email.


" $htmlbody += $tablestart $htmlbody += $body $htmlbody += $tableend $htmlbody += 'If you are not extending a account, please remember to notify HR at hrmailbox.domain.com and return Corporate IT assets (Laptop,hotspot, Mobile, etc) to the ServiceDesk as soon as possible.

' $htmlbody += "Note that for security reasons, all accounts are set to expire every 30 days.

" $htmlbody += "Thank you,

Corporate IT Service Desk


" $htmlbody += " Corporate IT ServiceDesk " $htmlbody += "
" $htmlbody += "123 My Road Rd  |  City, IL " $htmlbody += "60540  |  +1 312 213 1234  |  servicedesk@domain.com" $htmlbody += " " $htmlbody += "" $finalhtmlbody = $htmlbody #Debug #Write-Host "Manager Email Address : $managerEmailAddress" #Write-host "Final html body : $htmlbody" #Write-host "--------Next Line ----------" #End Debug #Debug # NOTE TO ADDRESS SET FOR TESTING - SHOULD NORMALLY BE - $managerEmailAddress #End Debug Send-MailMessage -From $EmailFromAddress -To $managerEmailAddress -Subject $EmailSubject -Body $finalhtmlbody -BodyAsHtml -SmtpServer $EmailServer } $sendEmail = $false } # Generic check for users with no manager $bodyNM = @() Get-ADUser -Filter * -Properties AccountExpirationDate,Manager | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach { If ( !$_.Manager ) { If ( $_.AccountExpirationDate) { If ($_.AccountExpirationDate -lt (Get-Date).AddDays(8) ) { $sendEmailNM = $true $propsNM = @{ Username=$_.SamAccountName 'Account Expiration Date'=$_.AccountExpirationDate } $bodyNM += New-Object PsObject -Property $propsNM } } } } If ($sendEmailNM) { $bodyNM = $bodyNM | Out-String Send-MailMessage -From $EmailFromAddress -To $EmailToAddress -Subject $EmailSubject -Body "The following contractor account(s) will expire in one week and no manager is set for the account. `r`n`r`n `r`n`r`n $bodyNM" -SmtpServer $EmailServer }


Leave a Reply

Your email address will not be published. Required fields are marked *