# ====================================================================
# Search in AD for expiring password accounts. To be used through NRPE / nsclient++
# Author: Alessandro Tosi
# mail: tosiale82@gmail.com
# version 0.1
# ====================================================================
#
#  Do not change anything behind that line!
#
param 
(
    [int]$DaysWarningExpiration = 8,
	[int]$DaysErrorExpiration = 3
)

# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
	try
	{
		Import-Module -Name ActiveDirectory
	}
	catch
	{
		Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
		exit 2
	}
}
else
{
	Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
	exit 2
}


#Set the days where the password is already expired and needs to change. -- Do Not Modify --
$MaxPwdAge   = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
 
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
$WarningDate = (Get-Date).addDays(-($MaxPwdAge - $DaysWarningExpiration -1))
$ErrorDate = (Get-Date).addDays(-($MaxPwdAge - $DaysErrorExpiration -1))

#Filters for all users who's password is within date of expiration.
$WarningUsers = Get-ADUser -Filter {(PasswordLastSet -lt $WarningDate) -and (PasswordLastSet -gt $ErrorDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet | select SamAccountName, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ErrorUsers = Get-ADUser -Filter {(PasswordLastSet -lt $ErrorDate) -and (PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet | select SamAccountName, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet

$Critical = @()
$Warning = @()
$Critical = $ErrorUsers
$Warning = $WarningUsers

if($ErrorUsers.Count -gt 0)
{
	$state="CRITICAL"
    Write-Host "CRITICAL: ", $ErrorUsers.Count, "users has the password expiring in the next", $DaysErrorExpiration, "days "
    Write-Host "<b>"
    foreach ($Critical in $Critical) {
    Write-Host "\n $($Critical.SamAccountName) ($($Critical.DaysUntilExpired) days) "
    }
    Write-Host "\n\n WARNINGS </B>(from $DaysErrorExpiration to $DaysWarningExpiration days)<b>:</b>"
    foreach ($Warning in $Warning){
    Write-Host "\n $($Warning.SamAccountName) ($($Warning.DaysUntilExpired) days) "
    }
	exit 2
}
elseif($WarningUsers.Count -gt 0)
{
	$state="WARNING"
    Write-Host "WARNING: ", $WarningUsers.Count, "users has the password expiring in the next", $DaysWarningExpiration, "days "
     foreach ($Warning in $Warning){
     Write-Host "\n $($Warning.SamAccountName) ($($Warning.DaysUntilExpired) days) "
    }
    exit 1
}
else
{
	$state="OK"
    Write-Host "OK: No user has the password expiring in the next", $DaysWarningExpiration, "days"
    exit 0
}