AD Passwords about to Expire via Aegis - Method #2 using the command line

over 5 years ago
In this article I will show the second method of creating an Aegis workflow to notify users that their password will expire in X days.

Method #1 was a very simple workflow.  It was based on you already having a script, powershell, vbscript etc. that performs all the tasks you need, and Aegis simply manages its execution.  However its more often the case that you won't have a script that does everything you need to do for an automation.  Aegis is designed to provide a 'graphical programming' workflow development environment so we can do everything a script does without having to be able to write scripts.

Method #2 will perform the same required tasks with a blend of Aegis Activities (building blocks).  It will take a 'Google Search' approach to building a workflow - "how do I query AD via the command prompt?", "how do I convert unix time to w32time stamps?" - find out how and then implement in the workflow!

So the basic workflow steps again are :

  1.  The workflow will start on a schedule - once a week for example   (This was covered in method #1)

  •  The workflow will check in AD for the Password Policy  'Maximum Password Age' - Note for simplicity I am ignoring Fine Grained Password Policies here!

  •  The workflow will search for users whose accounts will expire in X days.

  •  All users will be notified by email if their accounts are about to expire.


I will do this workflow by comparing to the script example from method #1 .  There is no doubt that this method still requires a good deal of logic and know how - the upcoming methods will make this easier!

The bulk of the initial part of the script is creating a filter for those users, which requires a date range to search for expiring passwords.  This date is not in a user readable format so needs some manipulation.

The script begins with defining some variables:

# variables to configure #
$expiryDays = 30 # notify users who expire within this many days
$fromAddress = "aegis@sigea.moc"
$mailServer = "mail.sigea.moc"

In the workflow I have also defined these variables.  Here I have them defined as Workitem Attributes for easy comparison, but you will already have a Global Attributes for 'email server name' defined in Global Settings.  You may choose to use Global Settings instead of Workitem Attributes (Global Variables v Local Variables) or a mix.


The script next checks AD for the default policy for the maximum age of a password :

$maxPasswordDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

This can also be achieved by using the dsquery command so we can run it from the 'Run Command on Aegis Server' activity.  The dsquery is available in the Microsoft Remote Server Administration Tools.


The result of this command outputs some non required data so a simple parser to parse out the numeric value is needed after the execution.   A note on this is for some reason the command sometimes for unknown reason outputs gibberish - for this reason in the workflow which i show at the end has a retry loop for that odd occasion.  However its a very simple check and retry loop - it could be endless - how would you prevent an endless loop?

The output of this command however isn't in days, so we need to convert it from FileTime (W32Time / System time  format which is the number of 100 nanoseconds intervals since Jan 1, 1601 - Win32 epoch time), to days. which we can do with the calculator activity.


Next the script calculates the time-period to check for passwords going to expire based on the default domain policy.  (again like method #1 we are ignoring Fine Grained Policies).   It  also converts time to FileTime (see above) which is not a trivial calculation as it turns out!  The dates are required in this format as that is the format the dates are stored in AD.
$DateStart = [DateTime]::Now.AddDays(-$maxPasswordDays)

$DateEnd = [DateTime]::Now.AddDays(-$maxPasswordDays $expiryDays)

$filterStart = $DateStart.ToFileTime();

$filterEnd = $DateEnd.ToFileTime();

Even by Google search it is hard to find anything as simple as the above lines to convert.  So use the easy option and run the simple script in the workflow with the 'Run Script on Aegis Server' Activity!

Here is the activity for calculating the start date for the filter.  You can use both in the same activity of course but will need to parse the results out.


So finally we are ready to query for the users.  Again I will use the dsquery command to query for the users using the same query as the script:

$filter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet>="   $filterStart   ")(pwdLastSet<="   $filterEnd   ")(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=32)(!userAccountControl:1.2.840.113556.1.4.803:=48))" # user cannot change password

$users = get-aduser -LDAPFilter $filter -Properties name, EmailAddress


The result is a typical command line output which ill need to be parsed to get the users email address - note here that one user doesn't have an email address - how do you handle that?



Finally the workflow again just needs to send an email to each user to notify them that their account is going to expire which is Aegis 101.

The final workflow might look like this:




Next time is method #3 - This will be replacing the command line and scripting in the workflow with custom activities which give the required results direct without any need for parsing, making workflow life even easier.



Comment List
Related Discussions