# Account Expiration Email to Managers
# Created By: Greg Van Den Ham Last Edited: 4-15-2014 GV
# Script tasks:
# Notify Managers of 7 day Expiration on users with expiration tag (ie.contractors)
# Group all users expiring with manager in one email
# Ignore accounts in OU \Accounts\Disabled Accounts
# Send Daily Report to Someone
# Import the AD module and declare some variables
Import-Module ActiveDirectory
$EmailFromAddress = 'servicedesk@domain.com'
$EmailToAddress = 'servicedesk@domain.com'
$EmailServer = 'emailserver.domain.com'
$EmailSubject = 'Account Extension List'
#
#Function to get last login time of user
#
function Get-ADUserLastLogon([string]$userName)
{
$dcs = Get-ADDomainController -Filter {Name -like "*"}
$time = 0
foreach($dc in $dcs)
{
$hostname = $dc.HostName
$user = Get-ADUser $userName | Get-ADObject -Properties lastLogon
if($user.LastLogon -gt $time)
{
$time = $user.LastLogon
}
}
$dt = [DateTime]::FromFileTime($time)
#Write-Host $username "last logged on at:" $dt
return $dt
}
# Find all managers and check each manager's employees for expiration
Get-ADUser -Filter * -Properties DirectReports,EmailAddress | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach {
$body = @()
$htmlbody = @()
$finalhtmlbody = @()
$tablebits = @()
If ($_.DirectReports) {
#Debug
#Write-host "In if user has direct reports - lookup next"
#End Debug
$managerEmailAddress = $_.EmailAddress
#Debug
#Write-host "Manager is : $managerEmailAddress"
#End Debug
$_.DirectReports | ForEach {
#Debug
#Write-host "direct report : $_.DirectReports"
#End Debug
$userDetails = Get-ADUser $_ -Properties AccountExpirationDate | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts,*' }
#Debug
#$ExpirationDateDebug=(Get-ADUser $_ -Properties 'AccountExpirationDate').AccountExpirationDate
#Write-host "Expiration lookup complete, date is : $ExpirationDateDebug"
#End Debug
If ( $userDetails.AccountExpirationDate ) {
#Debug
#Write-host "In if user has expiration date set"
#End Debug
# Debug
# Set addDays to 30 instead of 8 to guarantee debug test results
# End Debug
If ( $userDetails.AccountExpirationDate -lt (Get-Date).AddDays(8) ) {
$sendEmail = $true
#Get Last Logon date
$lastloggedon = Get-ADUserLastLogon -UserName $userDetails.SamAccountName
#Debug
#Write-host "In if accountexpiration less than get-date + 8"
#Write-host "Direct Reports : $userDetails.DirectReports"
#Write-host "userdetails : $userDetails.Name $userDetails.LastName"
#Write-host "ExpirationDate : $userDetails.AccountExpirationDate"
#End Debug
$tablebits += '
'
$tablebits += $userDetails.SamAccountName
$tablebits += " | "
$tablebits += $userDetails.Name
$tablebits += " | "
$tablebits += $userDetails.AccountExpirationDate
$tablebits += " | "
$tablebits += $lastloggedon
#Add Blank Table Row for Expiration Extension
$tablebits += " | |
"
$body += $tablebits
$tablebits =@()
}
}
}
# Debug
#Write-host "Sendemail : $sendEmail"
#Write-host "Body of email : $body"
# End Debug
}
If ($sendEmail) {
$style = "< style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "< /style>"
$tablestart = ""
$tablestart += "Username"
$tablestart += " | Full Name"
$tablestart += " | Account Expiration Date"
$tablestart += " | Last Logon"
$tablestart += " | Extend? |
"
$tableend = "
"
$htmlbody = ""
$htmlbody += ""
#$htmlbody += $style
$htmlbody += " "
$htmlbody += "Notice - Your Staff Account(s) Are Expiring
The following contractor account(s) will expire in one week or have already expired. Please reply or forward this email to sevicedesk@domain.com.
For each Account indicate Yes to extend or No to remove access from each account.
If there is just one Account listed, you may reply with just a Yes or No to this email.
"
$htmlbody += $tablestart
$htmlbody += $body
$htmlbody += $tableend
$htmlbody += 'If you are not extending a account, please remember to notify HR at hrmailbox.domain.com and return Corporate IT assets (Laptop,hotspot, Mobile, etc) to the ServiceDesk as soon as possible.
'
$htmlbody += "Note that for security reasons, all accounts are set to expire every 30 days.
"
$htmlbody += "Thank you,
Corporate IT Service Desk
"
$htmlbody += "Corporate IT ServiceDesk "
$htmlbody += "
"
$htmlbody += "123 My Road Rd | City, IL "
$htmlbody += "60540 | +1 312 213 1234 | servicedesk@domain.com"
$htmlbody += "
"
$htmlbody += ""
$finalhtmlbody = $htmlbody
#Debug
#Write-Host "Manager Email Address : $managerEmailAddress"
#Write-host "Final html body : $htmlbody"
#Write-host "--------Next Line ----------"
#End Debug
#Debug
# NOTE TO ADDRESS SET FOR TESTING - SHOULD NORMALLY BE - $managerEmailAddress
#End Debug
Send-MailMessage -From $EmailFromAddress -To $managerEmailAddress -Subject $EmailSubject -Body $finalhtmlbody -BodyAsHtml -SmtpServer $EmailServer
}
$sendEmail = $false
}
# Generic check for users with no manager
$bodyNM = @()
Get-ADUser -Filter * -Properties AccountExpirationDate,Manager | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach {
If ( !$_.Manager ) {
If ( $_.AccountExpirationDate) {
If ($_.AccountExpirationDate -lt (Get-Date).AddDays(8) ) {
$sendEmailNM = $true
$propsNM = @{
Username=$_.SamAccountName
'Account Expiration Date'=$_.AccountExpirationDate
}
$bodyNM += New-Object PsObject -Property $propsNM
}
}
}
}
If ($sendEmailNM) {
$bodyNM = $bodyNM | Out-String
Send-MailMessage -From $EmailFromAddress -To $EmailToAddress -Subject $EmailSubject -Body "The following contractor account(s) will expire in one week and no manager is set for the account. `r`n`r`n `r`n`r`n $bodyNM" -SmtpServer $EmailServer
}