Reduce Help-desk cost by notifying user in advance to take self action on password reset

Table of Contents

  1. Introduction
  2. Scenario
  3. Benefits
  4. Pre-requisites
  5. Script
  6. Script sample email output
  7. End of Document

Reduce Help-desk cost by notifying user in advance to take self action on password reset

1. Introduction

Purpose of this document is to explain how you can reduce your help desk cost by notifying users to change the password themselves in advance before it expires.

2. Scenario

Below are few scenarios where this script will be helpful. Let’s assuming a big organization with 5000 employee.

  • On an average 5000/365 = 13 tickets per day for password reset.
  • In this case at least 3 help-desk employees with 8 hour shift will require to handle these 13 tickets/ incidents 24*7.
  • If volume increases suddenly ticket resolution time will increase, which will impact on help-desk performance/ SLA (Service Level Agreement).
  • Another hypothetical example, there is a presentation/ Meeting is scheduled from a senior management (May be CEO, CFO, CSO, Senior manager etc), and the password expired few minutes before presentation, where presentation file can be access only from his/her ID.

3. Benefits

This script will inform users well in advance about the password expiration, to avoid any chaos. User can take advantage of Self-Service password reset tool and change password before it expires.

In case user missed first notification (10 days) before his password expires, user will still get another two notifications (5 days and 2 days) prior to his/ her password expires and user can take action.

Assuming above scenario of 5000 employee, it will also save your 3 helpdesk employee cost.

4. Pre-requisites

User require (usually a service account) with password never expires and have sufficient privileges to read the password expiration attributes of all users in Active directory.

Mail server (SMTP server) should be reachable and should allow sending email from where you are executing the script.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”undefined” custom_text_button_color=”undefined” submit_button_text=”Subscribe Now” submit_button_classes=”undefined” show_subscribers_total=”false” ]

5. Script

Script is written in PowerShell. Script should be executed from your on premise Active Directory server via Task Scheduler using above service account.

## Owner : Niraj Srivastava
## Date : 21-Feb-2020
## Version : 1.0

## This Script notifiy users whose password is expire in 10,5,2 days.
## To work Script properly
## Create Proper Folder Structure "C:\NSIT\Scripts\Prod\PasswordNotification", "C:\NSIT\OUTPUT\PasswordNotification"
## Copy this script in Folder "C:\NSIT\Scripts\Prod\PasswordNotification"
## Execute this script directly from Domain Controller
## SMTP Server should be accessible from Domain Controller
## Execute this Script for every day via Task Scheduler, so that should not miss any user whose password is expiring in 10.5.2 days.
## Change your OU Structure where users exist in AD "OU=Employees,OU=Users,DC=NSIT,DC=nsitautomation,DC=in"
## You can check Log at "C:\NSIT\OUTPUT\PasswordNotification", to whom script notified.

$dt= (Get-Date)
$tm= (Get-Date).ToString("hh:mm")
$fldt= (Get-Date).ToString("ddMMMyyyy")

$Outpath = "C:\NSIT\OUTPUT\PasswordNotification\$fldt"
$outputcsv = "$Outpath\PasswordNotification_$fldt.log"
mkdir $Outpath -ErrorAction SilentlyContinue
Write "Reporte Date :$fldt Time :$tm" | Out-File $outputcsv 
Write "Email,DisplayName,Password Expiration,Password Expire in Day/s" | Out-File $outputcsv -Append
mkdir $Outpath -ErrorAction SilentlyContinue

$passwordchangedoc = "$Filepath\Change password Process.pdf"
### Hear you can add more days


$advNotifyDays= @($10days,$05days,$02days)

$users1=Get-ADUser -SearchBase "OU=Employees,OU=Users,DC=NSIT,DC=nsitautomation,DC=in" -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "Userprincipalname", "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Userprincipalname","Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFiletime($_."msDS-UserPasswordExpiryTimeComputed")}} 
$users2=Get-ADUser -SearchBase "OU=NonStaff,OU=Users,DC=NSIT,DC=nsitautomation,DC=in" -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "Userprincipalname", "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Userprincipalname","Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFiletime($_."msDS-UserPasswordExpiryTimeComputed")}} 

foreach ($advNotifyDay in $advNotifyDays)
## Advance days 10,5,1 days section
write ""
write "Today is $dt and Advance date is $advNotifyDay"
write ""

foreach ($user in $users )
    $useremail = $user.Userprincipalname
    $userdispname = $user.Displayname
    $pwdexpdate = $user.ExpiryDate
    $pwdexpdateonly = $pwdexpdate.ToString("dd/MM/yyyy")
    $pwdexpdays = $pwdexpdate- $dt
    $pwdexpdays = $pwdexpdays.Days
    $pwdexpdays = $pwdexpdays+1

    if (($pwdexpdate -ge $dt ) -and ($pwdexpdate -le $advNotifyDay))

        if($daysleft -eq 0)
            Write "$useremail,$userdispname,$pwdexpdateonly,Days Left $pwdexpdays"
            $daysleft = $null

###### Email Notification Section ######
$emailfrom = ""

$emailto = $useremail

$emailsubject = "NSIT-Auto generated password expiring notification."
$emailattachment = $passwordchangedoc
$emailSMTPServer = ""
$emailbody = "<b><font color=orange>Hello $userdispname,</b></font> <br>" 
$emailbody += "<P>This is auto-generated notification for password change."
$emailbody += "<br><br> <font color=blue>Your password for email ID $useremail will expire in next $pwdexpdays days.<br>" 
$emailbody += "<br> <font color=black>Kindly change the password before it expires. If you are in NSIT office and connected to NSIT LAN or Wi-Fi, press Ctrl+Al+Del --> Change password   </b></P>"
$emailbody += "<P><font color=black> <b>NOTE : </b>  If you are not in NSIT network and have Internet access, please connect to Microsoft Azure SSPR website.  <P/>"
$emailbody += "<ol>"
$emailbody += "<li>Open Browser and go to URL:</li>"
$emailbody += "<li>Provide you email and press Next</li>"
$emailbody += "<li>Login with your current credentials</li>"
$emailbody += "<li>Provide old password and new password and Submit</li>"
$emailbody += "<li>Click on username and Sign out</li>"
$emailbody += "</ol>"  
$emailbody += "<P> For further assistance<br><b><font color=orange>Please call Help Desk at +91-1234567890.</P>"

##Send-MailMessage -From $emailfrom -To $emailto -cc $emailcc -SmtpServer $emailSMTPServer -Subject $emailsubject -Body $emailbody -BodyAsHtml -Attachments $emailattachment 
Send-MailMessage -From $emailfrom -To $emailto -SmtpServer $emailSMTPServer -Subject $emailsubject -Body $emailbody -BodyAsHtml

## Log Generation
Write "$useremail,$userdispname,$pwdexpdate,$pwdexpdays" | Out-File $outputcsv -Append


## Advance days 10,5,1 days section

6. Script sample email output

7. End of Document

Facebook Comments

One thought to “Reduce Help-desk cost by notifying user in advance to take self action on password reset”

  1. Master of Industrial Engineering Telkom University says:

    I just want to say I am very new to blogging and site-building and truly savored this blog site. Almost certainly I’m likely to bookmark your blog post . You amazingly have exceptional article content. Thank you for revealing your blog site.

Leave a Reply

Your email address will not be published. Required fields are marked *