由于域密码扫描涉及到Active Directory的扫描,所以就用了powershell,里面会自带很多现成的函数。
网上有很多例子,但是我主要卡壳在邮件中插入图片这一块。
直接上代码:(powershell应保存为ps1后缀的文件)
如果邮件中没有加载图片的需求,那么下面这段代码够用了。
# 记录日志,我的脚本和日志文件都放在桌面了
$LogFile = "C:\Users\username\Desktop\password-expire.txt"
"$(Get-Date) Start Passowrd Check..." | Out-File -Append -FilePath $LogFile
# 引入AD模块
Import-Module Activedirectory
#定义邮件发ing
# smtp服务器
$SMTPServer = "smtp.feishu.cn"
# 发件人
$From = "it@company.com"
# 密码, xxxxxxx部分是明文密码
$Password = ConvertTo-SecureString "xxxxxxx" -AsPlainText -Force
$SMTPCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $From,$Password
# 白名单,如下名单不扫描
$WhiteList = "gerrit"
# 抄送列表
[string[]]$SupportList = "yun.zhao@company.com", "qiao.xiao@company.com"
#查询指定OU符合条件的用户,这里筛选了未设置密码永不过期以及账号是启用状态的用户
$AllUser = Get-ADUser -searchbase "OU=group,DC=company,DC=com" -Filter 'PasswordNeverExpires -eq "false" -and enabled -eq "true"' | % {$_.SamAccountName}
#进入循环
foreach ($User in $AllUser){
# 跳过白名单用户
if ($WhiteList.Contains($User)){
continue
}
#获取上次设置密码时间
$PwdLastset = Get-ADUser $User -Properties passwordlastset | % {$_.passwordlastset}
if($PwdLastset -eq $null){
echo "未查询到用户$User 上次设置密码时间"
"未查询到用户$User 上次设置密码时间" | Out-File -Append -FilePath $LogFile
continue
}
#计算过期日期,这里是360天过期
$PwdLastday = ($PwdLastset).AddDays(360)
#获取计算机当前日期,确保运行此脚本的计算机日期准确
$Now = Get-Date
#计算密码还剩多少天过期
$ExpireDays = ($PwdLastday - $Now).Days
#获取用户名和邮箱
$DN = Get-ADUser $User -Properties Displayname | % {$_.Displayname}
$To = Get-ADUser $User -Properties mail | % {$_.mail}
if($To -eq $null){
echo "未查询到用户$User 邮箱"
"未查询到用户$User 邮箱" | Out-File -Append -FilePath $LogFile
continue
}
#执行if语句,这判断过期日期是否小于等于7并且大于0,如果为真则发送邮件
if($ExpireDays -le "10" -and $ExpireDays -gt "0"){
echo "$DN 密码即将在$ExpireDays 天后过期,上次密码设置时间: $PwdLastset"
"$DN 密码即将在$ExpireDays 天后过期,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码即将过期"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:""> 您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码将在</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpireDays</strong></span><span style="font-size:16px;font-family:"">天后过期,请及时更改。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="http://10.10.1.60/jenkins/modifypassword.png" style="display:inline-block">
</div>
</p>
"@
#发送邮件
Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Cc $SupportList -Subject $EmailSubject -BodyAsHtml $Emailbody -Credential $SMTPCred -Encoding ([System.Text.Encoding]::UTF8)
}
elseif ($ExpireDays -le "0" -and $ExpireDays -gt "-10"){
$ExpiredDays = - $ExpireDays
echo "$DN 密码已过期过期$ExpiredDays 天,上次密码设置时间: $PwdLastset"
"$DN 密码已过期过期$ExpiredDays 天,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码已过期"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:"">您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码已过期</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpiredDays</strong></span><span style="font-size:16px;font-family:"">天,请尽快重置。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="http://10.10.1.60/jenkins/modifypassword.png" style="display:inline-block">
</div>
</p>
"@
Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Cc $SupportList -Subject $EmailSubject -BodyAsHtml $Emailbody -Credential $SMTPCred -Encoding ([System.Text.Encoding]::UTF8)
}
elseif ($ExpireDays -le "-10"){
$ExpiredDays = - $ExpireDays
echo "$DN 密码过期超十天,密码已过期$ExpiredDays 天,上次密码设置时间: $PwdLastset"
"$DN 密码过期超十天,密码已过期$ExpiredDays 天,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码已过期超10天"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:"">您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码已过期</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpiredDays</strong></span><span style="font-size:16px;font-family:"">天,请尽快重置。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="http://10.10.1.60/jenkins/modifypassword.png" style="display:inline-block">
</div>
</p>
"@
Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Cc $SupportList -Subject $EmailSubject -BodyAsHtml $Emailbody -Credential $SMTPCred -Encoding ([System.Text.Encoding]::UTF8)
}
}
"$(Get-Date) Finish Passowrd Check..." | Out-File -Append -FilePath $LogFile
但是以上代码在浏览图片时会有问题,由于图片是通过http访问的,所以如果不介入公司内网是无法加载的,导致邮件中图片无法访问,所以对以上代码进行了改写,如下:
#定义发送邮件函数
Function Sendmail($user_to,$mail_subject,$mail_body)
{
#定义邮件服务器
$smtpServer = "smtp.feishu.cn"
$smtpUser = "it@company.com"
$smtpPassword = "xxxxxxxx"
#定义位于本地计算机上的图片路径
$file = "C:\Users\username\Desktop\modifypassword.PNG"
$mail = New-Object System.Net.Mail.MailMessage
#定义发件人邮箱地址、收件人邮箱地址
$user_from = $smtpUser
[string[]]$user_bcc = "yun.zhao@company.com", "username@company.com"
$mail.From = New-Object System.Net.Mail.MailAddress($user_from)
$mail.IsBodyHtml = $True
#添加图片
$att = New-Object System.Net.Mail.Attachment($file)
$att.ContentType.MediaType = "image/png"
$att.ContentId = "pict"
$att.TransferEncoding = [System.Net.Mime.TransferEncoding]::Base64
$mail.Attachments.Add($att)
$mail.Body = $mail_body
$mail.To.Add($user_to)
$mail.Bcc.Add($user_bcc)
#定义邮件标题、优先级和正文
$mail.Subject = $mail_subject
$mail.Priority = "High"
$smtp = New-Object System.Net.Mail.SmtpClient -argumentList $smtpServer,587 #使用587端口
$smtp.Enablessl = $true #使用TLS加密
$smtp.Credentials = New-Object System.Net.NetworkCredential -argumentList $smtpUser,$smtpPassword
$smtp.Send($mail)
$att.Dispose()
}
# 记录日志
$LogFile = "C:\Users\username\Desktop\password-expire.txt"
"$(Get-Date) Start Passowrd Check..." | Out-File -Append -FilePath $LogFile
# 域密码扫描白名单
$WhiteList = "gerrit "
#查询指定OU符合条件的用户,这里筛选了未设置密码永不过期以及账号是启用状态的用户
$AllUser = Get-ADUser -searchbase "OU=group,DC=company,DC=com" -Filter 'PasswordNeverExpires -eq "false" -and enabled -eq "true"' | % {$_.SamAccountName}
#进入循环
foreach ($User in $AllUser){
# 跳过白名单用户
if ($WhiteList.Contains($User)){
continue
}
#获取上次设置密码时间
$PwdLastset = Get-ADUser $User -Properties passwordlastset | % {$_.passwordlastset}
if($PwdLastset -eq $null){
echo "未查询到用户$User 上次设置密码时间"
"未查询到用户$User 上次设置密码时间" | Out-File -Append -FilePath $LogFile
continue
}
#计算过期日期,这里是360天过期
$PwdLastday = ($PwdLastset).AddDays(360)
#获取计算机当前日期,确保运行此脚本的计算机日期准确
$Now = Get-Date
#计算密码还剩多少天过期
$ExpireDays = ($PwdLastday - $Now).Days
#获取用户名和邮箱
$DN = Get-ADUser $User -Properties Displayname | % {$_.Displayname}
$To = Get-ADUser $User -Properties mail | % {$_.mail}
if($To -eq $null){
echo "未查询到用户$User 邮箱"
"未查询到用户$User 邮箱" | Out-File -Append -FilePath $LogFile
continue
}
#执行if语句,这判断过期日期是否小于等于7并且大于0,如果为真则发送邮件
if($ExpireDays -le "10" -and $ExpireDays -gt "0"){
echo "$DN 密码即将在$ExpireDays 天后过期,上次密码设置时间: $PwdLastset"
"$DN 密码即将在$ExpireDays 天后过期,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码即将过期"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:""> 您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码将在</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpireDays</strong></span><span style="font-size:16px;font-family:"">天后过期,请及时更改。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="cid:pict" style="display:inline-block">
</div>
</p>
"@
#发送邮件
# 调试用户
$To = "yun.zhao@company.com"
Sendmail $To $EmailSubject $Emailbody
}
elseif ($ExpireDays -le "0" -and $ExpireDays -gt "-10"){
$ExpiredDays = - $ExpireDays
echo "$DN 密码已过期过期$ExpiredDays 天,上次密码设置时间: $PwdLastset"
"$DN 密码已过期过期$ExpiredDays 天,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码已过期"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:"">您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码已过期</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpiredDays</strong></span><span style="font-size:16px;font-family:"">天,请尽快重置。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="cid:pict" style="display:inline-block">
</div>
</p>
"@
#发送邮件
# 调试用户
$To = "yun.zhao@company.com"
Sendmail $To $EmailSubject $Emailbody
}
elseif ($ExpireDays -le "-10"){
$ExpiredDays = - $ExpireDays
echo "$DN 密码过期超十天,密码已过期$ExpiredDays 天,上次密码设置时间: $PwdLastset"
"$DN 密码过期超十天,密码已过期$ExpiredDays 天,上次密码设置时间: $PwdLastset" | Out-File -Append -FilePath $LogFile
$EmailSubject = "域密码已过期超10天"
#编写邮件正文,可以使用html编辑器进行编辑,需要注意的是HTML源代码一定要粘贴在@" "@中间
$Emailbody =@"
<p>
<span style="font-size:16px;font-family:""><strong>$DN</strong></span><span style="font-size:16px;font-family:"">您好,</span>
</p>
<p class="MsoNormal" align="left" style="text-align:justify;font-size:10.5pt;font-family:Calibri, sans-serif;">
<span style="font-size:16px;font-family:"">您的域密码已过期</span><span style="font-size:16px;color:#E53333;font-family:""><strong>$ExpiredDays</strong></span><span style="font-size:16px;font-family:"">天,请尽快重置。</span>
<br>
<span style="font-size:16px;font-family:"">上次密码设置时间:$PwdLastday</span>
<br>
<span style="font-size:16px;font-family:"">点击<a href="https://hm-dc02.company.com/RDWeb/Pages/zh-CN/password.aspx">这里</a>修改密码或使用<strong>CTL+ALT+Del</strong>修改密码。</span>
</p>
<p>
<span style="font-size:16px;font-family:""><b>示例:</b></span>
<div>
<img alt="""" src="cid:pict" style="display:inline-block">
</div>
</p>
"@
#发送邮件
# 调试用户
$To = "yun.zhao@company.com"
Sendmail $To $EmailSubject $Emailbody
}
}
"$(Get-Date) Finish Passowrd Check..." | Out-File -Append -FilePath $LogFile
这个脚本已经达到了我想要的功能,但还有不少优化空间~~~,请自行发挥吧~
对了,脚本写完后。保存为ps1后缀的文件。
再在域控机器上创建一个定时任务,定期执行以上脚本即可。