# Account Expiration Email to Managers # Created By: Greg Van Den Ham Last Edited: 4-15-2014 GV # Script tasks: # Notify Managers of 7 day Expiration on users with expiration tag (ie.contractors) # Group all users expiring with manager in one email # Ignore accounts in OU \Accounts\Disabled Accounts # Send Daily Report to Someone # Import the AD module and declare some variables Import-Module ActiveDirectory $EmailFromAddress = 'servicedesk@domain.com' $EmailToAddress = 'servicedesk@domain.com' $EmailServer = 'emailserver.domain.com' $EmailSubject = 'Account Extension List' # #Function to get last login time of user # function Get-ADUserLastLogon([string]$userName) { $dcs = Get-ADDomainController -Filter {Name -like "*"} $time = 0 foreach($dc in $dcs) { $hostname = $dc.HostName $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon if($user.LastLogon -gt $time) { $time = $user.LastLogon } } $dt = [DateTime]::FromFileTime($time) #Write-Host $username "last logged on at:" $dt return $dt } # Find all managers and check each manager's employees for expiration Get-ADUser -Filter * -Properties DirectReports,EmailAddress | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach { $body = @() $htmlbody = @() $finalhtmlbody = @() $tablebits = @() If ($_.DirectReports) { #Debug #Write-host "In if user has direct reports - lookup next" #End Debug $managerEmailAddress = $_.EmailAddress #Debug #Write-host "Manager is : $managerEmailAddress" #End Debug $_.DirectReports | ForEach { #Debug #Write-host "direct report : $_.DirectReports" #End Debug $userDetails = Get-ADUser $_ -Properties AccountExpirationDate | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts,*' } #Debug #$ExpirationDateDebug=(Get-ADUser $_ -Properties 'AccountExpirationDate').AccountExpirationDate #Write-host "Expiration lookup complete, date is : $ExpirationDateDebug" #End Debug If ( $userDetails.AccountExpirationDate ) { #Debug #Write-host "In if user has expiration date set" #End Debug # Debug # Set addDays to 30 instead of 8 to guarantee debug test results # End Debug If ( $userDetails.AccountExpirationDate -lt (Get-Date).AddDays(8) ) { $sendEmail = $true #Get Last Logon date $lastloggedon = Get-ADUserLastLogon -UserName $userDetails.SamAccountName #Debug #Write-host "In if accountexpiration less than get-date + 8" #Write-host "Direct Reports : $userDetails.DirectReports" #Write-host "userdetails : $userDetails.Name $userDetails.LastName" #Write-host "ExpirationDate : $userDetails.AccountExpirationDate" #End Debug $tablebits += '' $tablebits += $userDetails.SamAccountName $tablebits += "" $tablebits += $userDetails.Name $tablebits += "" $tablebits += $userDetails.AccountExpirationDate $tablebits += "" $tablebits += $lastloggedon #Add Blank Table Row for Expiration Extension $tablebits += "" $body += $tablebits $tablebits =@() } } } # Debug #Write-host "Sendemail : $sendEmail" #Write-host "Body of email : $body" # End Debug } If ($sendEmail) { $style = "< style>BODY{font-family: Arial; font-size: 10pt;}" $style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}" $style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }" $style = $style + "TD{border: 1px solid black; padding: 5px; }" $style = $style + "< /style>" $tablestart = "" $tablestart += "" $tableend = "

Username" $tablestart += "	Full Name" $tablestart += "	Account Expiration Date" $tablestart += "	Last Logon" $tablestart += "	Extend?

" $htmlbody = "" $htmlbody += "" #$htmlbody += $style $htmlbody += " " $htmlbody += "

Notice - Your Staff Account(s) Are Expiring

The following contractor account(s) will expire in one week or have already expired. Please reply or forward this email to sevicedesk@domain.com.

For each Account indicate Yes to extend or No to remove access from each account.

If there is just one Account listed, you may reply with just a Yes or No to this email.

" $htmlbody += $tablestart $htmlbody += $body $htmlbody += $tableend $htmlbody += 'If you are not extending a account, please remember to notify HR at hrmailbox.domain.com and return Corporate IT assets (Laptop,hotspot, Mobile, etc) to the ServiceDesk as soon as possible.

' $htmlbody += "Note that for security reasons, all accounts are set to expire every 30 days.

" $htmlbody += "Thank you,

Corporate IT Service Desk

" $htmlbody += "

Corporate IT ServiceDesk " $htmlbody += "
" $htmlbody += "123 My Road Rd | City, IL " $htmlbody += "60540 | +1 312 213 1234 | servicedesk@domain.com" $htmlbody += "

" $htmlbody += "" $finalhtmlbody = $htmlbody #Debug #Write-Host "Manager Email Address : $managerEmailAddress" #Write-host "Final html body : $htmlbody" #Write-host "--------Next Line ----------" #End Debug #Debug # NOTE TO ADDRESS SET FOR TESTING - SHOULD NORMALLY BE - $managerEmailAddress #End Debug Send-MailMessage -From $EmailFromAddress -To $managerEmailAddress -Subject $EmailSubject -Body $finalhtmlbody -BodyAsHtml -SmtpServer $EmailServer } $sendEmail = $false } # Generic check for users with no manager $bodyNM = @() Get-ADUser -Filter * -Properties AccountExpirationDate,Manager | Where-Object { $_.DistinguishedName -notlike '*OU=Disabled Accounts*' } | ForEach { If ( !$_.Manager ) { If ( $_.AccountExpirationDate) { If ($_.AccountExpirationDate -lt (Get-Date).AddDays(8) ) { $sendEmailNM = $true $propsNM = @{ Username=$_.SamAccountName 'Account Expiration Date'=$_.AccountExpirationDate } $bodyNM += New-Object PsObject -Property $propsNM } } } } If ($sendEmailNM) { $bodyNM = $bodyNM | Out-String Send-MailMessage -From $EmailFromAddress -To $EmailToAddress -Subject $EmailSubject -Body "The following contractor account(s) will expire in one week and no manager is set for the account. `r`n`r`n `r`n`r`n $bodyNM" -SmtpServer $EmailServer }