I need to setup an alert when someone set Password never expire in AD

Kawaljit Singh 0 Reputation points
2023-10-26T12:41:04.9633333+00:00

I need to setup an alert when someone set Password never expire in AD

When some one from IT team setup the user to password never expire I want to build something may be Powershell script so it will send us email notification.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,097 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,552 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,528 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,527 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. SChalakov 10,386 Reputation points MVP
    2023-10-26T14:57:57.22+00:00

    Hi,

    I don't think that it is a good idea to have a script, which constantly runs and checks for this. What you can do instead is just execute a simple script in smaller intervals and get the resultz sent back to you. For example you can execute the script I referenced below every day and check the output (CSV file or directly the mail body)-

    Here is how you can do this:

    You can create a simple script, following the steps from this guide:

    How to Get a List of Users with Password Never Expires

    This will generate a .CSV file (actually you can store the result in a variable and then output it to the mail body) and you can send the CSV file using the following example:

    Send-MailMessage -To someone@example.com `
            -Body "$body" -BodyAsHtml `
            -SmtpServer smtp.test.net `
            -Subject "TEST " `
            -Attachments "C:\Temp\Export.csv" `
            -from example@example.com. `
            -priority High `
            -Encoding UTF8 
    

    I hope I could help you out with that.


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
    Regards
    Stoyan Chalakov

    0 comments No comments

  2. Ian Xue 37,106 Reputation points Microsoft Vendor
    2023-11-02T03:08:38.2533333+00:00

    Hi,

    Auditing the unexpire password permission for AD users is enabled by default. You can open Event Viewer and attach a task that runs a script of sending mails like SChalakov suggested above to the Event 4738 in Security log.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.