Streamlining User Account Off-boarding w/ Powershell (AD, Exchange, Helpdesk Ticket)

Jacob DurhamNetwork and System Admin
CERTIFIED EXPERT
Systems Administrator
Published:
Edited by: Andrew Leniart
We are working on a streamlining our off-boarding and on-boarding process. With this, comes account management. Our problem is that we have multiple different accounts with different vendors and accounts were being left stale.

I decided to make a Powershell script that takes cares of most of the mouse-clicking out of our off-boarding process. The script is below, feel free to post any comments or questions.


What it does:


  1. Disables the user's account.
  2. Moves the user to the "Disabled Users" OU in AD.
  3. Removes the user from all AD groups except "Domain Users."
  4. Notates the user's account with the Date and Name of the person who disabled them.
  5. Hides the user from Exchange Address Lists.
  6. Flags the user's email to only be able to receive an email from the "Postmaster."
  7. Using the User's city and state, the script: (1) set's the proper vendor's associated with that sales area; (2) emails said vendors requesting and accounts be disabled.
  8. Can be run against a single user or CSV depending on which #region you uncomment.


Things I will add:

 

  1. Vendor/Account logic based on "Role" field.
  2. Appending disabled usernames to list with the history of changes.
  3. Appending groups that user was part of to "Notes" field on disable.
  4. Reset password to random on disable.
  5. Notification of "Supervisor" on disable.



---------------------- Powershell Code ------------------------------

#define variables


#location to CSV file with usernames
$csvFile    = "C:\Users\jacoby\Documents\ScriptsandPowershell\terminations.csv"
#location of disabled users OU
$disabledUsersOU = "OU=Disabled Users,DC=internal,DC=mycompany,DC=com"
#location of Exchange connection URI
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://sea-mail-01.internal.mycompany.com/PowerShell"
#email body
$me       = $env:username
$date      = Get-date -Format "M.d.yyyy"
$description  = "By $me + On $date + quit or terminated"


Import-Module ActiveDirectory


#region - Use use this for CSV import
# $users = Import-Csv $csvFile
#endregion


#region - Use this for single user input
# $input = read-host "Enter Username"
# $users = New-Object psobject -Property @{username = $input}
#endregion


$users | ForEach-Object {
  # Disable the account
  Disable-ADAccount -Identity $_.UserName -Confirm:$false
  # Retrieve the user object and MemberOf property
  $user = Get-ADUser -Identity $_.UserName -Properties MemberOf 
  # Set Description
  ForEach-Object { Set-ADUser $_.username -Description "$description"}
  # Move user object to disabled users OU
  $user | Move-ADObject -TargetPath $disabledUsersOU -Confirm:$false
  # Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
  foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
  {
  Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
  }
   
  switch(get-aduser $user -Properties state | select -ExpandProperty state){
    WA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    CA {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com "
    }
    OR {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com, vendoremail@none.com"
    }
    AK {
      $vendorcc1 = "vendoremail@none.com"
      $vendorcc2 = "vendoremail@none.com"
    }
  }


}


Write-Output "Removing users from Exchange - this may take some time...."


#we're done with AD, this part connects to Exchange and remove the users from ALL groups except "Domain Users" and changes their allowed senders to "Postmaster" only


Import-PSSession $ExchangeSession -AllowClobber


set-mailbox $user.SamAccountName -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom $Postmaster


Remove-PSSession $ExchangeSession


#that's done, let's send the email


$users | foreach{
$user1 = $_.username
$n  = get-aduser $user1 -Properties name, city, state | select name, city, state


$emailbody =@"
<p>Greetings!</p>
<p>The following users have been disabled from systems. This has been processed automatically.&nbsp;</p>
<p>You are receiving this email so you can remove the user from the below systems.</p>
<p>&nbsp;</p>
<p>Name - $($n.name)</p>
<p>Username - $($_.UserName)</p>
<p><strong>Location - $($n.city), $($n.state)</strong></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><strong>You must disable the users in the following systems:</strong></p>
<ul>
<li>vendor1</li>
<li>vendor2</li>
<li>vendor3</li>
<li>vendor4</li>


</ul>
<p><br /><br />A copy of this message has been sent to $vendorcc1 and $vendorcc2. If you are a vendor1 or vendor2, please disable any account associated with the named user.</p>
<p>Lastly, please mark any equipment assigned to this user as returned or available.</p>
<p>Thanks!&nbsp;</p>
"@


$splat = @{
  To    = "jacob@mycompany.com"
 # CC    = "helpdesk@mycompany.com"
 # BCC    = "$vendorcc1, $vendorcc2"
  From   = "$me@mycompany.com"
  Subject  = "The user $($n.name), with username $($_.UserName) has been disabled - Action Required"
  Body   = $emailbody 
  SmtpServer = "email.mycompany.com"
  BodyAsHtml = $true
}


Send-MailMessage @splat}


$total  = (get-content $csvFile).count 
$truetotal = $total - 1


Write-Host " $truetotal accounts have been processed..." -ForegroundColor Green


pause


Hope you found this useful.



1
1,322 Views
Jacob DurhamNetwork and System Admin
CERTIFIED EXPERT
Systems Administrator

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community