パスワードの有効期限とアカウントアクションに関するユーザーへの警告

みなさんこんにちは！
どういうわけか、1月1日に多くのユーザーがアカウントを失効させ、ブロックされるという状況に直面しました。 したがって、彼らは仕事をすることができませんでした、1日の朝に始まる電話の突風。 パスワードの有効期限切れとメールによるアカウントのアクションの前にユーザーに警告することが決定されました。 警告されたユーザーのリストのコピーを管理者に送信します。
猫の下での実装のスクリプト。

まず、Active Directory用のActiveRoles Management Shellをインストールする必要があります。

パスワード有効期限スクリプト

このスクリプトは、一般ユーザーのパスワードの有効期限が7日間、3日間、および有効期限切れになると警告します。 トップマネージャーは、有効期限の5日前に警告されます。

Add-PSSnapin Quest.ActiveRoles.ADManagement function send-eMail($to, $PasswordAge, $Days) { if ($PasswordAge -eq 0) { $subject = "    ." } else { $subject = "     $PasswordAge $Days." } write-host $to $PasswordAge $Enc = [Text.Encoding]::UTF8 Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject "! $subject" ` -body "<span style='font: 11pt serif;'> .<br/> $subject<br />   ,                .<br />          «<a href='http://portal/Pages/Instructions.aspx'></a>».<br />" ` -priority High ` -dno onFailure ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function send-eMail-log($log, $to, $subject) { $Enc = [Text.Encoding]::UTF8 $body = "<span style='font: 10pt tahoma;'>$log</span>" Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject $subject ` -body $body ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function get-dayCut($PasswordAge) { $Days = "" if ($PasswordAge -le 20 -and $PasswordAge -ge 5) { $Days = "" } if ($PasswordAge -le 4 -and $PasswordAge -ge 2) { $Days = "" } if ($PasswordAge -eq 1 -or $PasswordAge -eq 21) { $Days = "" } return $Days } #   45 : $PasswordAgeMax = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days write-host " : "$PasswordAgeMax; $log = "" $logBoss = "" # -- 7, 3  0  --------------------------------------------------------------------------------------------- Get-QADUser -SizeLimit 0 | Where-Object {$_.AccountIsDisabled -eq $False} | Where-Object {$_.PasswordNeverExpires -eq $False} | % { $PasswordAge = $PasswordAgeMax - ($_.passwordage.days) - 1 $PasswordAge = [int]$PasswordAge if ($_.parentContainer -ne "domain/General/User") { if ($PasswordAge -eq 7 -or $PasswordAge -eq 3 -or $PasswordAge -eq 0) { $Days = get-dayCut $PasswordAge $addParam = $_.Title + ", " + $_.Department if (($_.mail).Length -gt 0) { send-eMail $_.mail $PasswordAge $Days $addParam = $addParam + ", " + $_.mail } if ($PasswordAge -le 1) { $log = $log + "<span style='color:red;'>" + $_.DisplayName + ", " + $PasswordAge + " (" + $addParam + ")</span><br />" } else { $log = $log + $_.DisplayName + ", " + $PasswordAge + " (" + $addParam + ")<br />" } } } else { $Days = get-dayCut $PasswordAge; write-host $_.DisplayName": "$PasswordAge; if ($PasswordAge -le 5 -and $PasswordAge -ge 0) { send-eMail $_.mail $PasswordAge $Days } if ($PasswordAge -le 0) { $logBoss = $logBoss + $_.DisplayName + ",    (" + $_.mail + ", " + $_.telephoneNumber + ")<br />" } elseif ($PasswordAge -le 5 -and $PasswordAge -gt 0) { $logBoss = $logBoss + $_.DisplayName + ",    " + $PasswordAge + " " + $Days + " (" + $_.mail + ", " + $_.telephoneNumber + ")<br />" } } } if ($log.Length -gt 0) { send-eMail-log $log "IT<it@domain.com>" "  " } if ($logBoss.Length -gt 0) { "admin1", "admin2", "admin3" | % {send-eMail-log $logBoss "$_@domain.com" "    "} } 

アカウント有効期限スクリプト

スクリプトは、30、20、14、7、5日間のアカウントの有効期限についてユーザーに警告します。

 Add-PSSnapin Quest.ActiveRoles.ADManagement function send-eMail($to,$lsDayCount) { write-host $to $lsDayCount; $Enc = [Text.Encoding]::UTF8 Send-MailMessage -to $to ` -from "IT<it@domain.com>" ` -subject "!      $lsDayCount " ` -body "<span style='font: 12pt serif;'> .<br/>        $lsDayCount .</span>" ` -priority High ` -dno onFailure ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function send-eMail-log($log, $to, $subject) { $Enc = [Text.Encoding]::UTF8 $body = "<span style='font: 10pt tahoma;'>" + $log + "</span>" #-Cc "admin1@domain.com" ` Send-MailMessage -to $to ` -from "it@domain.com" ` -subject $subject ` -body $body ` -smtpServer MAILSERVER ` -BodyAsHtm ` -Encoding $Enc } function check-null($lsPar, $lbComma) { $lsTmp = $lsPar; if ($lsPar.Length -gt 0) { if ($lbComma) { $lsTmp = $lsPar + ", "; } } else { $lsTmp = ""; } return $lsTmp; } # -- 5, 7, 14, 20, 30  ------------------------------------------------------------------------------------- $targetdate5 = ((get-date).AddDays(5)).ToShortDateString(); $targetdate7 = ((get-date).AddDays(7)).ToShortDateString(); $targetdate14 = ((get-date).AddDays(14)).ToShortDateString(); $targetdate20 = ((get-date).AddDays(20)).ToShortDateString(); $targetdate30 = ((get-date).AddDays(30)).ToShortDateString(); $gLog = ""; $gLog5 = ""; $gLog7 = ""; $gLog14 = ""; $gLog20 = ""; $gLog30 = ""; write-host $targetdate5 $targetdate7 $targetdate14 $targetdate20 $targetdate30; Get-QADUser -SizeLimit 0 | Where-Object {$_.AccountExpires -ne $null} | Where-Object {$_.AccountIsDisabled -eq $False} | % { $gObjUser = $_; $gsUserOpt = ""; 5,7,14,20,30 | % { $targetdate = ((get-date).AddDays($_)).ToShortDateString(); if (($gObjUser.AccountExpires).ToShortDateString() -eq $targetdate) { write-host $gObjUser.DisplayName"`t"($gObjUser.AccountExpires).ToShortDateString(); if (($gObjUser.mail).Length -gt 0) { send-eMail $gObjUser.mail $_; } $gsUserOpt = (check-null $gObjUser.Title $TRUE) + (check-null $gObjUser.Department $TRUE) + (check-null $gObjUser.mail $TRUE) + (check-null $gObjUser.telephoneNumber $FALSE); if ($gsUserOpt.Length -gt 0) { if ($gsUserOpt.substring($gsUserOpt.length - 2, 2) -eq ", ") { $gsUserOpt = $gsUserOpt.substring(0, $gsUserOpt.length - 2); } $gsUserOpt = " (" + $gsUserOpt +")"; } $gsUserOpt = $gObjUser.DisplayName + $gsUserOpt +"<br />"; switch ($_) { 5 {$gLog5 = $gLog5 + $gsUserOpt; break} 7 {$gLog7 = $gLog7 + $gsUserOpt; break} 14 {$gLog14 = $gLog14 + $gsUserOpt; break} 20 {$gLog20 = $gLog20 + $gsUserOpt; break} 30 {$gLog30 = $gLog30 + $gsUserOpt; break} } } } } if ($gLog5.Length -gt 0) { $gLog = "<strong>5 ,  $targetdate5</strong><br />" + $gLog5 + "<br />"} if ($gLog7.Length -gt 0) { $gLog = $gLog + "<strong>7 ,  $targetdate7</strong><br />" + $gLog7 + "<br />"} if ($gLog14.Length -gt 0) { $gLog = $gLog + "<strong>14 ,  $targetdate14</strong><br />" + $gLog14 + "<br />"} if ($gLog20.Length -gt 0) { $gLog = $gLog + "<strong>20 ,  $targetdate20</strong><br />" + $gLog20 + "<br />"} if ($gLog30.Length -gt 0) { $gLog = $gLog + "<strong>30 ,  $targetdate30</strong><br />" + $gLog30 + "<br />"} if ($gLog.Length -gt 0) { "admin1", "admin2", "admin3" | % {send-eMail-log $gLog "$_@domain.com" "   "} } 

事前にユーザーに警告します。 コメントを歓迎します。