<

Streamlining User Account Off-boarding w/ Powershell (AD, Exchange, Helpdesk Ticket)

Published on
3,036 Points
36 Views
Last Modified:
Jacob Durham
Systems Administrator
We are working on a streamlining our off-boarding and on-boarding process. With this, comes account management. Our problem is that we have multiple different accounts with different vendors and accounts were being left stale.

I decided to make a Powershell script that takes cares of most of the mouse-clicking out of our off-boarding process. The script is below, feel free to post any comments or questions.


What it does:


  1. Disables the user's account.
  2. Moves the user to the "Disabled Users" OU in AD.
  3. Removes the user from all AD groups except "Domain Users."
  4. Notates the user's account with the Date and Name of the person who disabled them.
  5. Hides the user from Exchange Address Lists.
  6. Flags the user's email to only be able to receive an email from the "Postmaster."
  7. Using the User's city and state, the script: (1) set's the proper vendor's associated with that sales area; (2) emails said vendors requesting and accounts be disabled.
  8. Can be run against a single user or CSV depending on which #region you uncomment.


Things I will add:

 

  1. Vendor/Account logic based on "Role" field.
  2. Appending disabled usernames to list with the history of changes.
  3. Appending groups that user was part of to "Notes" field on disable.
  4. Reset password to random on disable.
  5. Notification of "Supervisor" on disable.



---------------------- Powershell Code ------------------------------

#define variables


#location to CSV file with usernames
$csvFile    = "C:\Users\jacoby\Documents\ScriptsandPowershell\terminations.csv"
#location of disabled users OU
$disabledUsersOU = "OU=Disabled Users,DC=internal,DC=mycompany,DC=com"
#location of Exchange connection URI
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://sea-mail-01.internal.mycompany.com/PowerShell"
#email body
$me       = $env:username
$date      = Get-date -Format "M.d.yyyy"
$description  = "By $me + On $date + quit or terminated"


Import-Module ActiveDirectory


#region - Use use this for CSV import
# $users = Import-Csv $csvFile
#endregion


#region - Use this for single user input
# $input = read-host "Enter Username"
# $users = New-Object psobject -Property @{username = $input}
#endregion


$users | ForEach-Object {
  # Disable the account
  Disable-ADAccount -Identity $_.UserName -Confirm:$false
  # Retrieve the user object and MemberOf property
  $user = Get-ADUser -Identity $_.UserName -Properties MemberOf 
  # Set Description
  ForEach-Object { Set-ADUser $_.username -Description "$description"}
  # Move user object to disabled users OU
  $user | Move-ADObject -TargetPath $disabledUsersOU -Confirm:$false
  # Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
  foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
  {
  Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
  }
   
  switch(get-aduser $user -Properties state | select -ExpandProperty state){
    WA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    CA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com "
    }
    OR {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    AK {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com"
    }
  }


}


Write-Output "Removing users from Exchange - this may take some time...."


#we're done with AD, this part connects to Exchange and remove the users from ALL groups except "Domain Users" and changes their allowed senders to "Postmaster" only


Import-PSSession $ExchangeSession -AllowClobber


set-mailbox $user.SamAccountName -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom $Postmaster


Remove-PSSession $ExchangeSession


#that's done, let's send the email


$users | foreach{
$user1 = $_.username
$n  = get-aduser $user1 -Properties name, city, state | select name, city, state


$emailbody =@"
<p>Greetings!</p>
<p>The following users have been disabled from systems. This has been processed automatically.&nbsp;</p>
<p>You are receiving this email so you can remove the user from the below systems.</p>
<p>&nbsp;</p>
<p>Name - $($n.name)</p>
<p>Username - $($_.UserName)</p>
<p><strong>Location - $($n.city), $($n.state)</strong></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><strong>You must disable the users in the following systems:</strong></p>
<ul>
<li>vendor1</li>
<li>vendor2</li>
<li>vendor3</li>
<li>vendor4</li>


</ul>
<p><br /><br />A copy of this message has been sent to $vendorcc1 and $vendorcc2. If you are a vendor1 or vendor2, please disable any account associated with the named user.</p>
<p>Lastly, please mark any equipment assigned to this user as returned or available.</p>
<p>Thanks!&nbsp;</p>
"@


$splat = @{
  To    = "jacob@mycompany.com"
 # CC    = "helpdesk@mycompany.com"
 # BCC    = "$vendorcc1, $vendorcc2"
  From   = "$me@mycompany.com"
  Subject  = "The user $($n.name), with username $($_.UserName) has been disabled - Action Required"
  Body   = $emailbody 
  SmtpServer = "email.mycompany.com"
  BodyAsHtml = $true
}


Send-MailMessage @splat}


$total  = (get-content $csvFile).count 
$truetotal = $total - 1


Write-Host " $truetotal accounts have been processed..." -ForegroundColor Green


pause


Hope you found this useful.



0
Comment
0 Comments

Featured Post

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the adminiā€¦
Please check the video also in regards to recovery of deleted emails from office 365 admin center and through the MFCMAPI tool. I have mentioned each and every step with the proper steps that need to be taken care of.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month