AD Password Expiration Email (LDAP/Exchange/AD/PHP)

Often users that telecommute or don't use windows are blindsided by Active Directory password expirations. Given this, it seems a bit odd that AD doesn't have functionality built in to email users when they are nearing expiration. Enter this script. The prerequisites are: a working AD setup with Exchange, a working server with php compiled with CLI and LDAP.

Here goes:

$ldap_host = "ldap://yourDCipaddress";
$base_dn = "CN=Users,DC=yourcompanydomain,DC=com";
$filter = "(CN=*)";
$ldap_user = "CN=administrator,".$base_dn;
$ldap_pass = "youradministratorpassword";

As you can see, we are defining an LDAP host and CN filter (you can filter based on custom CNs, ie: one for linux users so they get this email). I wasn't able to get this LDAP connection working with any account other than administrator. Anyone know how to enable LDAP access for normal users?

The only other function that may require some explaining is calculating the password age. Windows uses Jan 1,1601 as the base date for its time stamps. Unix uses Jan 1, 1970 thus requiring some conversion to make the two time stamps compatible.

$pwdlast = $data["pwdlastset"][0]/10000000;
$pwdlast = round($pwdlast,0);
$pwdlast -= 11644505700;
$numDays = (time()) - ($pwdlast + 10368000);
$numDays = $numDays/86400;
$numDays = round($numDays);

I believe that the rest of the code should be rather self explanatory. If you can't follow for loops and sending emails in PHP, you have no business using this script :).

Download the script now!

Microsoft Date Conversion Resource