0

Versasec: Email Expiring Smart Card Users

This script will read from a CSV and will email users who’s smart card logon Certificates are going to expire with-in the next 30 days.

It will give them a stock email with instructions on how to renew their certificate.

It will also email the chosen administrators to inform them as to who has been emailed.

There is one large caveat with this script, in that the input needs to created manually.

The smart card system that this was designed to work along side had a system to do this very thing, but not in as much detail or have the same function.

Unfortunately it stored all users in an encrypted flat file database format, which meant that I was unable to retrieve the information from the application using the script via a SQL query or SQL Dump.

###################################################################################
#
# Script to Email Users whos smart card certificates are going to expire soon.
#
# 2018/Jan/22
#
###################################################################################
Push-Location (Split-Path -path $MyInvocation.MyCommand.Definition -Parent)
$Date = Get-Date -Format dd-MM-yy
$CSV = ‘.\SCUsersExpiringNext30days.csv’
$smtpserver = ‘YOUR-SMTP-SERVER’

#V Validate CSV and email accordingly.
$CSVStatus = $null
$CSVCheckExist = Test-Path $CSV
If($CSVCheckExist -eq $true){
$CSVStatus = “CSV Exists”
Write-Host “CSV Exists!” -ForegroundColor Green -BackgroundColor DarkGreen
$lastmodifieddate = (Get-Item $CSV).LastWriteTime;
$csvlastupdate = (New-TimeSpan -start $lastmodifieddate -end $date).days
Write-Host “$CSVLastUpdate days since modified” -ForegroundColor Green -BackgroundColor DarkGreen
If($csvlastupdate -gt 7){
$CSVStatus = “CSV Exists; but is over 7 days old!”
Write-host $CSVStatus -ForegroundColor Yellow -BackgroundColor DarkYellow
$emailto = ‘[email protected]
$subject = “URGENT! Smart Card Certificate Expiry CSV More than 7 days Old!”
$body = Get-Content .\emails\GT7.htm -raw
Send-MailMessage -SmtpServer $smtpserver -from $emailfrom -to $emailto -Subject $subject -body $body -bodyashtml -Priority high -Encoding $encoding}
Else{
$CSVStatus = “CSV Less than7 days since modified! Running Script!”
Write-Host $CSVStatus -ForegroundColor Green -BackgroundColor DarkGreen}
}
Else{
$CSVStatus = “CSV Does Not Exist!”
Write-Host $CSVStatus -ForegroundColor Red -BackgroundColor Darkred
$emailto = ‘[email protected]
$subject = “URGENT! Smart Card Certificate Expiry CSV DOES NOT EXIXT!”
$body = Get-Content .\emails\NoCSV.htm -raw
Send-MailMessage -SmtpServer $smtpserver -from $emailfrom -to $emailto -Subject $subject -body $body -bodyashtml -Priority high -Encoding $encoding
Exit

}

function Get-Expirers($upper, $lower){
#$lower = 1
#$upper = 7
$scexpires = Import-Csv $CSV
$emails = @()
$scexpires | %{
$ID = $_.(“ID”)
$IssuedTo = $_.(“Issued To”)
$IssuedTo = $IssuedTo -replace “.*CN=”, “” #removes clutter in the ‘reverse distinguished name’ SMARTCARD APPLICATION provides
$name = $issuedTo
$issuedTo = $IssuedTo -replace ” “, “”     #removes space for AD search
$issuedTo = $issuedTo -replace “‘”, “”     #removes pesky apostophies from names.
$Serial = $_.(“Serial Number”)
$ValidTo = $_.(“Valid To”)
$ExpiryDate = $ValidTo
$ValidFrom = $_.(“Valid From”)
$Template = $_.(“Template”)
$Adcheck=Get-ADUser -LDAPFilter “(SAMAccountname=$issuedto)”
If($adcheck -eq $null){
$issuedto | SC .\output\UsersNotInAD-$date.txt}
Else{
$issuedto = $IssuedTo | Where-Object {$validto -as [datetime] -lt (Get-Date).AddDays($upper) -and $validto -as [datetime] -gt (Get-Date).AddDays($lower)} | Get-ADUser -Properties mail # Get Emails for all users due to expire in the next X days
$validto = $validto |   Where-Object {$validto -as [datetime] -lt (Get-Date).AddDays($upper) -and $validto -as [datetime] -gt (Get-Date).AddDays($lower)}
$issuedToEmail = $issuedto.mail
$emails += $issuedtoEmail #+ $ValidTo
$emails | SC “.\output\Expiring in $lower days.txt”
####################################################
#Send some Emails
$today = Get-Date -Format “MMM d, yyyy HH:mm:ss”
$daystoexpire = (New-TimeSpan -start $today -end $ExpiryDate).days
$messagedays = $daystoexpire
If($messagedays -gt “1”){
$messagedays = “in ” + “$daystoexpire” + ” days”}
Else{
$messagedays = ‘today’}
$smtpserver = ‘YOURSMTPSERVER’
$emailFrom = ‘[email protected]
$emailTo = $issuedToEmail
$subject = “Action Required – Your Smartcard certificate is due to expire $messagedays”
$body = Get-Content .\EMAILS\smartcard_expiry_message.htm -Raw
$body = $body.replace(‘$name’,$name)
$body = $body.replace(‘$messagedays’,$messagedays)
$encoding = [System.Text.Encoding]::UTF8
If ($emailto -eq $null){
#Continue
}
Else{
Send-MailMessage -SmtpServer $smtpserver -from $emailfrom -to $emailto -Subject $subject -body $body -bodyashtml -Priority high -Encoding $encoding

}
}
}
}

Get-Expirers -lower 0 -upper 1
Get-Expirers -lower 1 -upper 7
Get-Expirers -lower 7 -upper 14
Get-Expirers -lower 14 -upper 21
Get-Expirers -lower 21 -upper 28
Get-Expirers -lower 28 -upper 31

# Send Report email to Tech teams
$xtoday = Get-Content “.\output\Expiring in 0 days.txt”
$xTomorrow = Get-Content “.\output\Expiring in 1 days.txt”
$x7Days = Get-Content “.\output\Expiring in 7 days.txt”
$x14days = Get-Content “.\output\Expiring in 14 days.txt”
$x21days = Get-Content “.\output\Expiring in 21 days.txt”
$x28days =  Get-Content “.\output\Expiring in 28 days.txt”
$notInAD = Get-Content “.\output\UsersNotInAD-$date.txt”

$emailto = ‘[email protected]
$emailFrom = ‘[email protected]
$encoding = [System.Text.Encoding]::UTF8
$subject = “Smart Card Certificate Expiry Emails Sent Today”

$xbody = Get-Content .\emails\Emailreport.htm -raw

If($xtoday -eq $null){$xtoday = ‘No users’}else{$xtoday = $xtoday | Out-String}
If($xTomorrow -eq $null){$xTomorrow = ‘No users’}else{$xtomorrow = $xtomorrow | Out-String}
If($x7Days -eq $null){$x7Days = ‘No users’}else{$x7days = $x7days | Out-String}
If($x14days -eq $null){$x14days = ‘No users’}else{$x14days = $x14days | Out-String}
If($x21days -eq $null){$x21days = ‘No users’}else{$x21days = $x21days | Out-String}
If($x28days -eq $null){$x28days = ‘No users’}else{$x28days = $x28days | Out-String}
If($notinAD -eq $null){$notinad = ‘No users’}else{$notinad = $notinad | Out-String}

$xbody = $xbody -replace “#Date”, “$Date”
$xbody = $xbody -replace “#xtoday”,”$xToday”
$xbody = $xbody -replace “#xTomorrow”,”$xTomorrow”
$xbody = $xbody -replace “#x7Days”,”$x7Days”
$xbody = $xbody -replace “#x14days”,”$x14days”
$xbody = $xbody -replace “#x21days”,”$x21days”
$xbody = $xbody -replace “#x28days”,”$x28days”
$xbody = $xbody -replace “@interservefls.gse.gov.uk”,”<br><br>”
$xbody = $xbody -replace “#CSVStatus”, “$CSVStatus”
$xbody = $xbody -replace “#NotInAD”, “$NotinAD”

Send-MailMessage -SmtpServer $smtpserver -from $emailfrom -to $emailto -Subject $subject -body $xbody -bodyashtml -Priority high -Encoding $encoding -verbose

The CSV should be laid out in the following format, you can of course modify the script and CSV to suit your needs.

ID,Issued to,Serial Number,Valid to,Valid from,Template
1234,”DC=UK, DC=yourorg, DC=yourco, DC=DOM, OU=HQ, OU=Users, CN=Joe Bloggs”,7D00006638281FF48060C3F02B000100006638,”Apr 28, 2018 13:34:06″,”Apr 28, 2017 13:34:06″, User Card

 

Email Templates look like the following:

Greater than 7 Day old CSV file.

<!– Message template used by PowerShell script to mail admin accounts that the CSV has not been updated. –>
<html>
<head>
<style type=’text/css’>
<!–
#container {
color:#0072C6;
font-family:’Calibri’,’Arial’,’Verdana’;
margin-left:auto;
margin-right:auto;
text-align:justify;
}
–>
</style>
</head>
<body>
<div id=’container’>
<H3>LADS!</h3>
<p>
<h3 style=”color:red;”>The CSV for the Smart Card Certificat Expirations IS OLD!!</h3>
<h3>Please go and make sure that this file is updated!</h3>
</div>
</body>
</html>

No CSV File present.

<!– Message template used by PowerShell script to mail admin accounts that the CSV does not exist. –>
<html>
<head>
<style type=’text/css’>
<!–
#container {
color:#0072C6;
font-family:’Calibri’,’Arial’,’Verdana’;
margin-left:auto;
margin-right:auto;
text-align:justify;
}
–>
</style>
</head>
<body>
<div id=’container’>
<p>LADS!</p>
<p>
<h3 style=”color:red;”>The CSV for the Smart Card Certificat Expirations does not exist!!</h3>
<h3>Please go and make sure that this file is created!</h3>
</div>
</body>
</html>

Email Report:

<!– Message template used by PowerShell script to mail admin accounts that the CSV does not exist. –>
<html>
<head>
<style type=’text/css’>
<!–
#container {
color:#0072C6;
font-family:’Calibri’,’Arial’,’Verdana’;
margin-left:auto;
margin-right:auto;
text-align:justify;
}
–>
</style>
</head>
<body>
<div id=’container’>
<p>Hello Support Teams,</p>
<p>
<h3>#CSVStatus</h3>
<h3>The Following users were emailed today #Date for Smart Card Certificate Expirations.</h3>
</div>
<style type=”text/css”>
.tg  {border-collapse:collapse;border-spacing:0;border-color:#999;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#444;background-color:#F7FDFA;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#fff;background-color:#26ADE4;}
.tg .tg-6dj7{font-weight:bold;font-size:small;background-color:#34cdf9;color:#343434;text-align:center;vertical-align:top}
.tg .tg-y5sk{font-size:x-small;vertical-align:top}
</style>
<table class=”tg”>
<tr>
<th class=”tg-6dj7″>Today</th>
<th class=”tg-6dj7″>Tomorrow</th>
<th class=”tg-6dj7″>7Days</th>
<th class=”tg-6dj7″>14 Days</th>
<th class=”tg-6dj7″>21 Days</th>
<th class=”tg-6dj7″>28 days</th>
</tr>
<tr>
<td class=”tg-y5sk”>#xToday</td>
<td class=”tg-y5sk”>#xTomorrow</td>
<td class=”tg-y5sk”>#x7days</td>
<td class=”tg-y5sk”>#x14Days</td>
<td class=”tg-y5sk”>#x21Days</td>
<td class=”tg-y5sk”>#x28Days</td>
</tr>
</table>
<br>
<table>
<table class=”tg”>
<tr>
<th class=”tg-6dj7″>Users not in AD with expiring SC Cert.</th>
</tr>
<tr>
<td class=”tg-y5sk”>#notInAD</td>
</tr>
</table>

</body>
</html>

The Email Message each user will receive starts with the following, instructions will be provided too. The name and messagedays variables will be filled in by the script.

Dear $name
<h3>Your smartcard certificate will expire $messagedays – If you do not re-issue the certificate before it expires it will impact your ability to logon</h3>
<h3>PLEASE DO NOT RESPOND TO THIS EMAIL – THIS IS FOR NOTIFICATION PURPOSES ONLY</h3>
<h3>If you have already reissued your Smart Card Certificate, then you can safely disregard this email.</h3>

Niall

Leave a Reply

Your email address will not be published.