jschlackman/Email-PasswordChange.ps1

## Email-PasswordChange.ps1
# Name: Email-PasswordChange.ps1
# Author: James Schlackman
# Last Modified: Oct 2 2023
#
# Automatically emails a user to notify them that their AD password was changed.
# Should be configured to run on any non-RO Domain Controller, triggered by a scheduled task
# attached to the event ID 4724 (admin change) in the Security event log as well as:
#   - event ID 4723 (user change) in the Security event log
#   - OR events 10014 and 10015 in the AzureADPasswordProtection log (password for the specified user was validated
#     as compliant) if Azure AD Password Protection is deployed for on-prem AD

param(
[string]$username,
[int]$eventID
)

$MailRelay = "smtp.contoso.com"
$FromAddress = "Contoso Support <support@contoso.com>"

#Find user whose password was changed
$pwUser = Get-ADUser -Filter {((samAccountName -eq $username) -and (mail -like "*")) } -Properties PasswordLastSet,Mail

if ($pwUser) {

    If ($pwUser.PasswordLastSet -eq $null) {$lastSet = Get-Date} Else {$lastSet = $pwUser.PasswordLastSet}

    # Define correct terms for message based on whether the password was changed by the user or an admin
    $adminReset = ($eventID -eq 4724)

    If ($adminReset) {
        $verb = "reset by the Help Desk"
        $appBehavior = "You will soon be prompted to enter the new password in Microsoft Office applications such as Outlook and OneDrive, as well as in"
        $nextChange = $lastSet.AddDays(1)
    }
    Else {
        $verb = "changed"
        $appBehavior = "Microsoft Office applications on your laptop will normally pick up the new password automatically, but you may be prompted to enter the new password in"
    }

    # Set mail subject
    $Subject = "Your Contoso password was $verb"


    # Create the body of the email

    $Body = @"
<html>
<head>
	<style>body {font-family: Calibri, sans-serif; font-size: 11pt} h1,h2 {font-family: Segoe UI Light,sans-serif} p.footer {margin-top: 3em; font-size: 9pt; font-style: italic; color: gray}</style>
</head>
<body>
<p><em>Please review the following confirmation details and contact the Help Desk if you have any questions.</em></p>
<p>$($pwUser.GivenName),</p><p>Your Contoso password for account <b>$($pwUser.samAccountName)</b> was $verb on $lastSet. Here's what to expect next:</p>
<ul><li>$appBehavior GoToConnect, GoToMeeting, and other applications that use this password such as the mail app on your cellphone.</li>
<li>You will need to use the new password when logging into the VPN.</li>
<li>If you have the old password saved in your browser for accessing Office 365, be sure to delete the autofilled password and type the new password next time you log in there.</li></ul></p>
<p><strong>Note:</strong> if you were not expecting a password change, please contact the Help Desk as soon as possible for assistance:</p>
<ul>
    <li><b>Campus East:</b> call <b>555-7894</b></li>
    <li><b>Campus West:</b> call <b>555-4784</b></li>
</ul>

$(If ($adminReset) {"<h2>Setting your own password</h2><p>Once you have logged in with the password given to you by the Help Desk, you may wish to
change it to your own unique password. Account passwords can only be changed once every 24 hours, so <b>you will need to wait until after $nextChange
to change your password again</b>. Attempting to change it again before that time will result in an error stating that your password does not meet
the password complexity requirements.<p>
<h2>If you are working from home</h2><p>When your password is reset while working from home, your laptop password does <u>not</u> automatically change.
If you set your own password after 24 hours (see above) the laptop should then pick up the change. Otherwise, you will need to connect to the VPN
with the new password and then lock and unlock your workstation to ensure the new password is synchronized with your laptop password.
Contact the Help Desk if you need assistance with this.</p>"})

<p>Regards,<br />
Contoso Support</p>
<p class="footer">This is a scripted message sent via the Task Scheduler on $env:COMPUTERNAME.</p>
</body></html>
"@

    # Send email notification

    Send-MailMessage -SmtpServer $MailRelay -Subject $Subject -From $FromAddress -BodyAsHtml $Body -To $pwUser.Mail -Encoding UTF8
}

## Email-PasswordChange.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2018-06-14T12:00:00</Date>
    <Author>james@schlackman.org</Author>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4723 or EventID=4724)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
        <Value name="eventID">Event/System/EventID</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell</Command>
      <Arguments>-ExecutionPolicy Bypass -File .\Email-PasswordChange.ps1 -username $(TargetUserName) -eventID $(eventID)</Arguments>
      <WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory>
    </Exec>
  </Actions>
</Task>

## Email-PasswordChange_AADPP.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2023-08-25T12:00:00</Date>
    <Author>james@schlackman.org</Author>
  </RegistrationInfo>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4724]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
	<Value name="eventID">Event/System/EventID</Value>
      </ValueQueries>
    </EventTrigger>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-AzureADPasswordProtection-DCAgent/Admin"&gt;&lt;Select Path="Microsoft-AzureADPasswordProtection-DCAgent/Admin"&gt;*[System[Provider[@Name='Microsoft-AzureADPasswordProtection-DCAgent'] and (EventID=10014 or EventID=10015)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="TargetUserName">Event/EventData/Data[@Name='Data1']</Value>
        <Value name="eventID">Event/System/EventID</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell</Command>
      <Arguments>-ExecutionPolicy Bypass -File .\Email-PasswordChange.ps1 -username $(TargetUserName) -eventID $(eventID)</Arguments>
      <WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory>
    </Exec>
  </Actions>
</Task>
	# Name: Email-PasswordChange.ps1
	# Author: James Schlackman
	# Last Modified: Oct 2 2023
	#
	# Automatically emails a user to notify them that their AD password was changed.
	# Should be configured to run on any non-RO Domain Controller, triggered by a scheduled task
	# attached to the event ID 4724 (admin change) in the Security event log as well as:
	# - event ID 4723 (user change) in the Security event log
	# - OR events 10014 and 10015 in the AzureADPasswordProtection log (password for the specified user was validated
	# as compliant) if Azure AD Password Protection is deployed for on-prem AD

	param(
	[string]$username,
	[int]$eventID
	)

	$MailRelay = "smtp.contoso.com"
	$FromAddress = "Contoso Support <support@contoso.com>"

	#Find user whose password was changed
	$pwUser = Get-ADUser -Filter {((samAccountName -eq $username) -and (mail -like "*")) } -Properties PasswordLastSet,Mail

	if ($pwUser) {

	If ($pwUser.PasswordLastSet -eq $null) {$lastSet = Get-Date} Else {$lastSet = $pwUser.PasswordLastSet}

	# Define correct terms for message based on whether the password was changed by the user or an admin
	$adminReset = ($eventID -eq 4724)

	If ($adminReset) {
	$verb = "reset by the Help Desk"
	$appBehavior = "You will soon be prompted to enter the new password in Microsoft Office applications such as Outlook and OneDrive, as well as in"
	$nextChange = $lastSet.AddDays(1)
	}
	Else {
	$verb = "changed"
	$appBehavior = "Microsoft Office applications on your laptop will normally pick up the new password automatically, but you may be prompted to enter the new password in"
	}

	# Set mail subject
	$Subject = "Your Contoso password was $verb"


	# Create the body of the email

	$Body = @"
	<html>
	<head>
	<style>body {font-family: Calibri, sans-serif; font-size: 11pt} h1,h2 {font-family: Segoe UI Light,sans-serif} p.footer {margin-top: 3em; font-size: 9pt; font-style: italic; color: gray}</style>
	</head>
	<body>
	<p><em>Please review the following confirmation details and contact the Help Desk if you have any questions.</em></p>
	<p>$($pwUser.GivenName),</p><p>Your Contoso password for account <b>$($pwUser.samAccountName)</b> was $verb on $lastSet. Here's what to expect next:</p>
	<ul><li>$appBehavior GoToConnect, GoToMeeting, and other applications that use this password such as the mail app on your cellphone.</li>
	<li>You will need to use the new password when logging into the VPN.</li>
	<li>If you have the old password saved in your browser for accessing Office 365, be sure to delete the autofilled password and type the new password next time you log in there.</li></ul></p>
	<p><strong>Note:</strong> if you were not expecting a password change, please contact the Help Desk as soon as possible for assistance:</p>
	<ul>
	<li><b>Campus East:</b> call <b>555-7894</b></li>
	<li><b>Campus West:</b> call <b>555-4784</b></li>
	</ul>

	$(If ($adminReset) {"<h2>Setting your own password</h2><p>Once you have logged in with the password given to you by the Help Desk, you may wish to
	change it to your own unique password. Account passwords can only be changed once every 24 hours, so <b>you will need to wait until after $nextChange
	to change your password again</b>. Attempting to change it again before that time will result in an error stating that your password does not meet
	the password complexity requirements.<p>
	<h2>If you are working from home</h2><p>When your password is reset while working from home, your laptop password does <u>not</u> automatically change.
	If you set your own password after 24 hours (see above) the laptop should then pick up the change. Otherwise, you will need to connect to the VPN
	with the new password and then lock and unlock your workstation to ensure the new password is synchronized with your laptop password.
	Contact the Help Desk if you need assistance with this.</p>"})

	<p>Regards,<br />
	Contoso Support</p>
	<p class="footer">This is a scripted message sent via the Task Scheduler on $env:COMPUTERNAME.</p>
	</body></html>
	"@

	# Send email notification

	Send-MailMessage -SmtpServer $MailRelay -Subject $Subject -From $FromAddress -BodyAsHtml $Body -To $pwUser.Mail -Encoding UTF8
	}
	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2018-06-14T12:00:00</Date>
	<Author>james@schlackman.org</Author>
	</RegistrationInfo>
	<Triggers>
	<EventTrigger>
	<Enabled>true</Enabled>
	<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4723 or EventID=4724)]]</Select></Query></QueryList></Subscription>
	<ValueQueries>
	<Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
	<Value name="eventID">Event/System/EventID</Value>
	</ValueQueries>
	</EventTrigger>
	</Triggers>
	<Principals>
	<Principal id="Author">
	<UserId>S-1-5-18</UserId>
	<RunLevel>LeastPrivilege</RunLevel>
	</Principal>
	</Principals>
	<Settings>
	<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
	<AllowHardTerminate>true</AllowHardTerminate>
	<StartWhenAvailable>false</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<IdleSettings>
	<StopOnIdleEnd>true</StopOnIdleEnd>
	<RestartOnIdle>false</RestartOnIdle>
	</IdleSettings>
	<AllowStartOnDemand>true</AllowStartOnDemand>
	<Enabled>true</Enabled>
	<Hidden>false</Hidden>
	<RunOnlyIfIdle>false</RunOnlyIfIdle>
	<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
	<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
	<WakeToRun>false</WakeToRun>
	<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
	<Priority>7</Priority>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>powershell</Command>
	<Arguments>-ExecutionPolicy Bypass -File .\Email-PasswordChange.ps1 -username $(TargetUserName) -eventID $(eventID)</Arguments>
	<WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory>
	</Exec>
	</Actions>
	</Task>