<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Streamlining User Account Off-boarding w/ Powershell (AD, Exchange, Helpdesk Ticket)

Published on
3,198 Points
198 Views
Last Modified:
Editors:
Jacob Durham
Systems Administrator
We are working on a streamlining our off-boarding and on-boarding process. With this, comes account management. Our problem is that we have multiple different accounts with different vendors and accounts were being left stale.

I decided to make a Powershell script that takes cares of most of the mouse-clicking out of our off-boarding process. The script is below, feel free to post any comments or questions.


What it does:


  1. Disables the user's account.
  2. Moves the user to the "Disabled Users" OU in AD.
  3. Removes the user from all AD groups except "Domain Users."
  4. Notates the user's account with the Date and Name of the person who disabled them.
  5. Hides the user from Exchange Address Lists.
  6. Flags the user's email to only be able to receive an email from the "Postmaster."
  7. Using the User's city and state, the script: (1) set's the proper vendor's associated with that sales area; (2) emails said vendors requesting and accounts be disabled.
  8. Can be run against a single user or CSV depending on which #region you uncomment.


Things I will add:

 

  1. Vendor/Account logic based on "Role" field.
  2. Appending disabled usernames to list with the history of changes.
  3. Appending groups that user was part of to "Notes" field on disable.
  4. Reset password to random on disable.
  5. Notification of "Supervisor" on disable.



---------------------- Powershell Code ------------------------------

#define variables


#location to CSV file with usernames
$csvFile    = "C:\Users\jacoby\Documents\ScriptsandPowershell\terminations.csv"
#location of disabled users OU
$disabledUsersOU = "OU=Disabled Users,DC=internal,DC=mycompany,DC=com"
#location of Exchange connection URI
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://sea-mail-01.internal.mycompany.com/PowerShell"
#email body
$me       = $env:username
$date      = Get-date -Format "M.d.yyyy"
$description  = "By $me + On $date + quit or terminated"


Import-Module ActiveDirectory


#region - Use use this for CSV import
# $users = Import-Csv $csvFile
#endregion


#region - Use this for single user input
# $input = read-host "Enter Username"
# $users = New-Object psobject -Property @{username = $input}
#endregion


$users | ForEach-Object {
  # Disable the account
  Disable-ADAccount -Identity $_.UserName -Confirm:$false
  # Retrieve the user object and MemberOf property
  $user = Get-ADUser -Identity $_.UserName -Properties MemberOf 
  # Set Description
  ForEach-Object { Set-ADUser $_.username -Description "$description"}
  # Move user object to disabled users OU
  $user | Move-ADObject -TargetPath $disabledUsersOU -Confirm:$false
  # Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
  foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
  {
  Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
  }
   
  switch(get-aduser $user -Properties state | select -ExpandProperty state){
    WA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    CA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com "
    }
    OR {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    AK {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com"
    }
  }


}


Write-Output "Removing users from Exchange - this may take some time...."


#we're done with AD, this part connects to Exchange and remove the users from ALL groups except "Domain Users" and changes their allowed senders to "Postmaster" only


Import-PSSession $ExchangeSession -AllowClobber


set-mailbox $user.SamAccountName -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom $Postmaster


Remove-PSSession $ExchangeSession


#that's done, let's send the email


$users | foreach{
$user1 = $_.username
$n  = get-aduser $user1 -Properties name, city, state | select name, city, state


$emailbody =@"
<p>Greetings!</p>
<p>The following users have been disabled from systems. This has been processed automatically.&nbsp;</p>
<p>You are receiving this email so you can remove the user from the below systems.</p>
<p>&nbsp;</p>
<p>Name - $($n.name)</p>
<p>Username - $($_.UserName)</p>
<p><strong>Location - $($n.city), $($n.state)</strong></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><strong>You must disable the users in the following systems:</strong></p>
<ul>
<li>vendor1</li>
<li>vendor2</li>
<li>vendor3</li>
<li>vendor4</li>


</ul>
<p><br /><br />A copy of this message has been sent to $vendorcc1 and $vendorcc2. If you are a vendor1 or vendor2, please disable any account associated with the named user.</p>
<p>Lastly, please mark any equipment assigned to this user as returned or available.</p>
<p>Thanks!&nbsp;</p>
"@


$splat = @{
  To    = "jacob@mycompany.com"
 # CC    = "helpdesk@mycompany.com"
 # BCC    = "$vendorcc1, $vendorcc2"
  From   = "$me@mycompany.com"
  Subject  = "The user $($n.name), with username $($_.UserName) has been disabled - Action Required"
  Body   = $emailbody 
  SmtpServer = "email.mycompany.com"
  BodyAsHtml = $true
}


Send-MailMessage @splat}


$total  = (get-content $csvFile).count 
$truetotal = $total - 1


Write-Host " $truetotal accounts have been processed..." -ForegroundColor Green


pause


Hope you found this useful.



0
0 Comments

Featured Post

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Screencast - Getting to Know the Pipeline
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month