AD Passwords about to Expire via Aegis - Method #1 with your existing script

over 5 years ago
I've been meaning for a long time to do a series of posts on different ways of doing the same thing in Aegis, from using scripts, command line, builtin activities, custom activities and adapters and I finally got around to doing it.

The question came up in the Aegis Support Forum asking "How can I detect accounts in Active Directory whose passwords are about to expire in X days and notify them by email using Aegis ?".  We ended up working offline on a solution (as workflow design isn't a technical support offering) based on a Powershell Script the customer already had as part of the overall workflow.

Workflows with a mix of scripting and Aegis activities are quite common - but for this example I am just going to use a single script.

Ok so there is a split in opinion about using an Automation Platform to just run scripts - its overkill for sure - but it does add a layer of management, audit and reporting that you may not get by simply running a script on a schedule.  On the other hand if you already have Aegis or are just starting out, if you have a script which works use it in Aegis!

#Aegis Top Tip: People who already automate tasks using scripts are likely to be great Aegis workflow designers as they already have the core skills!

For each solution method I use,  the workflow will generally follow the same basic steps, but depending on the method the number of workflow steps will vary to achieve the requirement.

  1.  The workflow will start on a schedule - once a week for example

  •  The workflow will check in AD for the Password Policy  'Maximum Password Age' - Note for simplicity I am ignoring Fine Grained Password Policies here!

  •  The workflow will search for users whose accounts will expire in X days.

  •  All users will be notified by email if their accounts are about to expire.

You'll notice that there are no "what if" scenarios here - again this is just to keep things simple - but in the real world you would need to handle situations where perhaps the user doesn't have an email address, fine grained password policies exist  or some unexpected error occurred (like a script error / LDAP unavailability etc.) etc.

So step 1 is going to be a simple trigger based off a schedule event -


And Steps 2 3 and 4 are in a script, so the workflow looks like this :


The Activity I use is the 'Run Script on Aegis Server' activity, and can be configured to run a script from a file or from pasting the script into Aegis like in my example below.


The script is going to be your script, but I enclose an example script - this is purely for example and uses a different methodolgy to what the customer mention above used.  Similar to the workflow it assumes everything will proceed without error!

Import-Module ActiveDirectory

# variables to configure #
$expiryDays = 30 # notify users who expire within this many days
$fromAddress = "aegis@sigea.moc"
$mailServer = "mail.sigea.moc"

$maxPasswordDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

$DateStart = [DateTime]::Now.AddDays(-$maxPasswordDays)
$DateEnd = [DateTime]::Now.AddDays(-$maxPasswordDays $expiryDays)

$filterStart = $DateStart.ToFileTime();
$filterEnd = $DateEnd.ToFileTime();
$filter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet>=" $filterStart ")(pwdLastSet<=" $filterEnd ")(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=32)(!userAccountControl:1.2.840.113556.1.4.803:=48))" # user cannot change password

$users = get-aduser -LDAPFilter $filter -Properties name, EmailAddress

foreach ($user in $users)
$fname = $user.GivenName
$mail = $user.EmailAddress

$subject = "Your password will expire within 30 days"
$body = "Dear " $fname ",<br>Please change your password!"

Send-Mailmessage -smtpServer $mailServer -from $fromAddress -to $mail -subject $subject -body $body -bodyasHTML

I'm not going to explain the mechanics of the script here, in another method where workflow steps perform the steps of the script I will explain whats happening.

As in the majority of scripts, there are a few variables defined at the start of the script for the number of expiry days, the from address when an email is sent to users and what email server to use.  There is no problem in leaving these hardcoded, but you can have Aegis substitute in these values at runtime using variables (Workitem Attributes or Global Attributes).

In terms of maintenance of the script, when errors do come, they Aegis activity will currently fail and the workitem will fail.  You can choose to put in your error handling into the script or into the Aegis workflow.  It is quite common that a workflow which starts out as a single script activity can grow into a more substantial workflow based around the core script over time.

So in summary, if you already have a script to perform a task like this, use it - no need to re-invent the wheel.



How To-Best Practice
Comment List
Related Discussions