⏰ Expiration passwords & certs
Rapport comptes et certificats AD proches de l'expiration
powershellScript
Expiration passwords & certs AD
Rapport des comptes utilisateurs et certificats Active Directory proches de l'expiration.
Script
#Requires -Modules ActiveDirectory
expiration-passwords.ps1 — Rapport expiration mots de passe et certs AD
Paramètres : -WarnDays 30 -ExportCsv "C:\rapports\expiration.csv" -SendMail
param(
[int]$WarnDays = 30,
[string]$ExportCsv = "",
[string]$SmtpServer = "smtp.example.com",
[string]$MailTo = "[email protected]",
[string]$MailFrom = "[email protected]",
[switch]$SendMail
)
$ErrorActionPreference = "Stop"
$Today = Get-Date
Write-Host "`n=== Rapport Expiration AD — $($Today.ToString('dd/MM/yyyy HH:mm')) ===" -ForegroundColor Cyan
── 1. Mots de passe utilisateurs ────────────────────────────
Write-Host "`n📋 Analyse des mots de passe..." -ForegroundColor Yellow
$PasswordPolicy = Get-ADDefaultDomainPasswordPolicy
$MaxPwdAge = $PasswordPolicy.MaxPasswordAge
$Users = Get-ADUser -Filter {
Enabled -eq $true -and
PasswordNeverExpires -eq $false -and
PasswordLastSet -ne $null
} -Properties PasswordLastSet, PasswordNeverExpires, LastLogonDate, EmailAddress, DisplayName |
Where-Object { $_.PasswordLastSet -ne $null }
$PwdReport = foreach ($User in $Users) {
$PwdExpiry = $User.PasswordLastSet + $MaxPwdAge
$DaysLeft = int.TotalDays
if ($DaysLeft -le $WarnDays) {
[PSCustomObject]@{
Type = "Mot de passe"
Nom = $User.DisplayName ?? $User.SamAccountName
Login = $User.SamAccountName
Email = $User.EmailAddress
Expiration = $PwdExpiry.ToString("dd/MM/yyyy")
JoursRestants = $DaysLeft
Statut = if ($DaysLeft -lt 0) { "EXPIRÉ" }
elseif ($DaysLeft -le 7) { "CRITIQUE" }
else { "ALERTE" }
DernierLogin = $User.LastLogonDate?.ToString("dd/MM/yyyy") ?? "Jamais"
}
}
}
── 2. Certificats dans l'AD (NTAuthCertificates, services) ──
Write-Host "🔐 Analyse des certificats AD..." -ForegroundColor Yellow
$CertReport = @()
try {
# Certificats dans le magasin AD CS
$CAs = Get-ADObject -Filter { objectClass -eq "certificationAuthority" } `
-SearchBase "CN=Public Key Services,CN=Services,CN=Configuration,$(([ADSI]'').distinguishedName)" `
-Properties cACertificate, name -ErrorAction SilentlyContinue
foreach ($CA in $CAs) {
foreach ($CertBytes in $CA.cACertificate) {
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertBytes)
$DaysLeft = int.TotalDays
if ($DaysLeft -le ($WarnDays * 2)) {
$CertReport += [PSCustomObject]@{
Type = "Certificat CA"
Nom = $CA.Name
Login = $Cert.Subject
Email = ""
Expiration = $Cert.NotAfter.ToString("dd/MM/yyyy")
JoursRestants = $DaysLeft
Statut = if ($DaysLeft -lt 0) { "EXPIRÉ" }
elseif ($DaysLeft -le 30) { "CRITIQUE" }
else { "ALERTE" }
DernierLogin = $Cert.Thumbprint.Substring(0,16) + "..."
}
}
}
}
} catch {
Write-Warning "Impossible d'accéder aux certificats CA : $_"
}
── 3. Comptes bientôt verrouillés (inactivité) ──────────────
Write-Host "🔒 Comptes inactifs..." -ForegroundColor Yellow
$InactiveThreshold = $Today.AddDays(-90)
$InactiveUsers = Get-ADUser -Filter {
Enabled -eq $true -and
LastLogonDate -lt $InactiveThreshold
} -Properties LastLogonDate, DisplayName |
Select-Object @{N="Type";E={"Inactivité"}},
@{N="Nom";E={$_.DisplayName}},
@{N="Login";E={$_.SamAccountName}},
@{N="Email";E={""}},
@{N="Expiration";E={"—"}},
@{N="JoursRestants";E={int.TotalDays}},
@{N="Statut";E={"INACTIF"}},
@{N="DernierLogin";E={$_.LastLogonDate.ToString("dd/MM/yyyy")}}
── 4. Rapport consolidé ──────────────────────────────────────
$AllIssues = @($PwdReport) + @($CertReport) + @($InactiveUsers) |
Sort-Object JoursRestants
Write-Host "`n📊 Résumé :" -ForegroundColor Cyan
Write-Host " Mots de passe expirant : $($PwdReport.Count)"
Write-Host " Certificats en alerte : $($CertReport.Count)"
Write-Host " Comptes inactifs (+90j) : $($InactiveUsers.Count)"
Affichage console
$AllIssues | Format-Table -AutoSize @{
Label="Statut"; Expression={
$color = switch($_.Statut) {
"EXPIRÉ" { "Red" }; "CRITIQUE" { "Yellow" }
"ALERTE" { "Cyan" }; default { "White" }
}
$_.Statut
}}, Nom, Login, Expiration, JoursRestants, DernierLogin
── 5. Export CSV ─────────────────────────────────────────────
if ($ExportCsv) {
$AllIssues | Export-Csv -Path $ExportCsv -NoTypeInformation -Encoding UTF8
Write-Host "`n📄 Export CSV : $ExportCsv" -ForegroundColor Green
}
── 6. Envoi email ────────────────────────────────────────────
if ($SendMail -and $AllIssues.Count -gt 0) {
$Html = @"
<html><body>
<h2>Rapport expiration AD — $(Get-Date -Format 'dd/MM/yyyy')</h2>
<h3>🔑 Mots de passe ($($PwdReport.Count) alertes)</h3>
<table border='1' cellpadding='4' style='border-collapse:collapse'>
<tr style='background:#333;color:white'><th>Nom</th><th>Login</th><th>Expiration</th><th>Jours restants</th><th>Statut</th></tr>
$($PwdReport | ForEach-Object {
$bg = if ($_.JoursRestants -lt 0) {"#ffcccc"} elseif ($_.JoursRestants -le 7) {"#ffe0cc"} else {"#ffffcc"}
"<tr style='background:$bg'><td>$($_.Nom)</td><td>$($_.Login)</td><td>$($_.Expiration)</td><td>$($_.JoursRestants)</td><td>$($_.Statut)</td></tr>"
})
</table>
</body></html>
"@
Send-MailMessage -To $MailTo -From $MailFrom -Subject "[AD] Rapport expiration — $(Get-Date -Format 'dd/MM/yyyy')" `
-Body $Html -BodyAsHtml -SmtpServer $SmtpServer -Encoding UTF8
Write-Host "📧 Email envoyé à $MailTo" -ForegroundColor Green
}
Utilisation
# Rapport 30 jours par défaut
.\expiration-passwords.ps1
Alerte 14 jours + export CSV
.\expiration-passwords.ps1 -WarnDays 14 -ExportCsv "C:\rapports\expiration.csv"
Avec envoi email
.\expiration-passwords.ps1 -SendMail -SmtpServer "smtp.domaine.com" -MailTo "[email protected]"
Planification (Task Scheduler)
$Action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-NonInteractive -File C:\Scripts\expiration-passwords.ps1 -WarnDays 14 -SendMail"
$Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At "08:00AM"
$Setting = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable
Register-ScheduledTask -TaskName "AD-Expiration-Report" `
-Action $Action -Trigger $Trigger -Settings $Setting `
-RunLevel Highest -User "SYSTEM"
🔧 Ouvrir tools.rdr-it.com — application complète →
Plus de 40 outils AdminSys gratuits · SSL · DNS · Docker · Nginx · SSH · Mermaid · et plus