因此,我知道在 Windows Server 中,您可以设置 GPO,在密码过期前 x 天通知“Windows 用户”。我的问题是,通知其他平台的最佳/最简单的方法是什么?目前,我们使用一种称为“密码自助服务”的东西,但它从未正常工作过,我想摆脱它。它带来的麻烦比它的价值还要多。
任何建议都很好,谢谢!
答案1
您可以编写一个 PowerShell 脚本,由域控制器上的计划服务运行,该脚本可以查找密码在一定时间内过期的所有用户,并电子邮件每个用户都会收到通知。此解决方案的要求包括足够新的 PowerShell 版本(2.0 或更高版本可能就足够了)、某个点的 SMTP 中继服务器以及在 AD 中为每个用户填充的电子邮件地址字段。脚本必须以提升的权限运行。
$from = "<[email protected]>"
$subject = "Your password on the domain example.com is expiring soon"
$smtpServer = "smtprelay.example.com"
$today = Get-Date
# An HTML formatted e-mail body has been created and saved to a text file.
# This command reads the file into an array, each array element is one line of the file.
$bodyArray = Get-Content -Path "C:\ScriptData\emailbody.txt"
# The e-mail command won't correctly send the array for the e-mail body, we have to convert it to a stream of text.
for ($i=0; $i -lt $bodyArray.Count; $i++) {
$body += $bodyArray[$i]
}
# Regarding the dates in this next command, it's meant to get passwords
# expiring within seven days (that's where the 8 comes from) and exclude
# passwords that have already expired. In AD, numerical zero means 1/1/1600,
# but outside of AD numerical zero is 1/1/1, so 1600 years must be added to
# dates retrieved from AD to compare them to dates computed in PowerShell
# using Get-Date.
$expiringUsers = Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties "GivenName","samAccountName","EmailAddress","msDS-UserPasswordExpiryTimeComputed" | Where-Object {((Get-Date($_.'msDS-UserPasswordExpiryTimeComputed')).AddYears(1600) -lt (Get-Date).AddDays(8)) -and ((Get-Date($_.'msDS-UserPasswordExpiryTimeComputed')).AddYears(1600) -gt (Get-Date))}
foreach ($user in $expiringUsers) {
$timeRemaining = New-TimeSpan -Start $today -End (Get-Date($user.'msDS-UserPasswordExpiryTimeComputed')).AddYears(1600)
$daystopassexpiry = $timeRemaining.Days
# The next command replaces what I'll call constants in the e-mail body file
# with the values retrieved from the user's AD information. This
# personalizes each e-mail.
$newbody = $body -replace "--GIVENNAME--",$user.GivenName -replace "--USERNAME--",$user.SamAccountName -replace "--NUMBER OF DAYS--",$daystopassexpiry -replace "--EMAILADDRESS--",$user.EmailAddress
Send-MailMessage -From $from -To $user.EmailAddress -Subject $subject -BodyAsHTML -Body $newbody -SmtpServer $smtpServer
$newbody = $null
}
我建议添加错误捕获(try/catch
),如果您确实将其作为计划作业运行,我喜欢使用添加日志记录功能,Start-Transcript
这样我就可以更轻松地找出问题所在。我还建议向自己的 cmdlet-BCC
中添加Send-MailMessage
,这样您就可以确保电子邮件能够发送并正确格式化。
我通过精心制作一封看起来像我想要的电子邮件来创建电子邮件正文,其中写入了所有“常量”,然后我将它发送给自己,然后我查看了电子邮件源并将其复制到文本文件中。