-
-
Save hsmalley/9c3bf7eef6622aa60031 to your computer and use it in GitHub Desktop.
AutoADTermination.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# This is a auto termination script. It's going to royaly screw an account. So make sure you want that. Okay? | |
# You really shouldn't monkey around with this as it assumes the following: | |
# 0. YOU KNOW WHAT YOU'RE DOING! | |
# 1. The account running it has exchange admin access | |
# 2. The computer running is set to EST. | |
# 3. The account running it has access to the IT share. | |
# 4. You have the Quest Active Roles AD Cmdlets installed. | |
# 5. 0-4 | |
#> | |
# Add Quest CMDLETS | |
Add-PSSnapin Quest.ActiveRoles.ADManagement -WarningAction SilentlyContinue -ErrorAction SilentlyContinue | |
# Get Timestamp | |
$Date = Get-Date | |
# Setup Email fields | |
$SMTP = New-Object Net.Mail.SMTPClient | |
$SMTP.Host = "mail.DOMAIN.LOCAL" | |
$SMTP.TargetName = "mail.DOMAIN.LOCAL" | |
$EmailFrom = "HELLDESK@DOMAIN.LOCAL" | |
$EmailTO = "HELLDESK@DOMAIN.LOCAL" | |
$Subject = "User Termination - $Env:COMPUTERNAME" | |
# Start crafting the message. | |
$Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTO | |
$Message.Subject = $Subject | |
$Message.IsBodyHTML = $true | |
# CSS Style for Email. | |
$Style = "<style>BODY{font-family: Arial; font-size: 10pt;}" | |
$Style = $Style + "TABLE{border: 1px solid black; border-collapse: collapse;}" | |
$Style = $Style + "TH{border: 1px solid black; background: #dddddd; padding: 5px;}" | |
$Style = $Style + "TD{border: 1px solid black; padding: 5px;}" | |
$Style = $Style + "</style>" | |
# Generate a Random Password for the User | |
Function Generate-Password { | |
$Password = $null | |
$Random = $null | |
#Set up random number generator | |
$Random = New-Object System.Random | |
#Generate a new 10 character password | |
1..10 | ForEach { $Password = $Password + [char]$Random.next(33,127) } | |
$Password | |
} | |
#Connect to Exchange SERVER | |
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://EXCH\\SERVER/PowerShell/" | |
Import-PSSession $Session -AllowClobber | |
# Import the list of people heading to Château d'If | |
$Users = Import-Csv "\\SERVER\User Termination Log\TermUsers.csv" | |
$Users | ForEach-Object { | |
# Setup Variables | |
$User = $_ | |
$TimeZone = $User.TimeZone | |
$TermUser = $User.OPID | |
$TermDate = $User.Date | |
# DATE CHECK | |
IF (($TermDate -ieq (Get-Date -Format yyyyMMdd)) -or ($TermDate -lt (Get-Date -Format yyyyMMdd))) { | |
# TIME ZONES | |
IF ($TermDate -lt (Get-Date -Format yyyyMMdd)) {$RunTerm = "YES"} #If we missed someone this will make sure we get this. | |
# The task runs an hour after these times. So we're save with this. | |
ELSEIF (($TimeZone -ieq "EST") -and ($Date.Hour -gt "16")) {$RunTerm = "YES"} | |
ELSEIF (($TimeZone -ieq "CST") -and ($Date.Hour -gt "17")) {$RunTerm = "YES"} | |
ELSEIF (($TimeZone -ieq "MNT") -and ($Date.Hour -gt "18")) {$RunTerm = "YES"} | |
ELSEIF (($TimeZone -ieq "PST") -and ($Date.Hour -gt "19")) {$RunTerm = "YES"} | |
ELSE {$RunTerm = "NO"} | |
} | |
# Run the termination if it's time. | |
IF (($RunTerm -eq "YES") -and ((Get-QADObject -Identity $TermUser | Get-QADMemberOf) -notmatch "Disabled Users")) { | |
# Generate a Random Password for the User | |
$Password = Generate-Password | |
# Convert OPID to User Account information for Quest AD Tools | |
$ADTermUser = Get-QADUser -Identity $TermUser | |
# Move User to the Disabled User OU | |
Move-QADObject -Identity $ADTermUser -NewParentContainer (Get-QADObject "Users - Disabled") | |
# Refresh ADTermUser | |
$ADTermUser = Get-QADUser -Identity $TermUser | |
# Try to correct possible human error. | |
$TermUser = $ADTermUser.LogonName | |
# Get the Display Name for the User | |
$ADTermUserDisplayName = $ADTermUser.DisplayName | |
# Get the User's Manager. If the user doesn't have a manager (OR has an invalid manager) a manager will be assigned to them. | |
IF ((Get-QADObject -Identity $ADTermUser.Manager) -eq $null) {$ADTermUserManager = Get-QADUser -Identity "disabledusermanager"} | |
ELSE {$ADTermUserManager = Get-QADObject -Identity $ADTermUser.Manager} | |
# Set the User's Manager's Logon Name | |
$TermUserManager = $ADTermUserManager.LogonName | |
# Get the Manager's Display Name | |
$ADTermUserManagerDisplayName = $ADTermUserManager.DisplayName | |
#Set Expire Date | |
$Expire = $Date.AddMonths(13) | |
<# START CSV LOG #> | |
$Log = New-Object PSObject | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "Run Date" -Value $Date -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "Remove After" -Value $Expire -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "User ID" -Value $TermUser -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "User Name" -Value $ADTermUserDisplayName -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "Manager ID" -Value $TermUserManager -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "Manager" -Value $ADTermUserManagerDisplayName -Force | |
Add-Member -MemberType NoteProperty -InputObject $Log -Name "Tech" -Value "AUTOMAGICAL" -Force | |
$TermLog = @() | |
$TermLog += $Log | |
$LogPath = "\\SERVER\User Termination Log\TermLog.csv" | |
$TermLog | Export-Csv -Append -Force -NoTypeInformation $LogPath | |
<# END CSV LOG #> | |
# Disable AD Account and add to Disabled Users Group | |
Disable-QADUser -Identity $ADTermUser -Confirm:$false | |
Add-QADGroupMember -Identity "Disabled Users" -Member $ADTermUser -Confirm:$false | |
# Set Description | |
$Description = ($AdtermUser.Description + " - Terminated On: $Date") | |
# Removes Title, Office, Phones, Fax, changes password to random number, set description, and change primary group to Disabled Users. | |
# It's not on a single line for a reason, go ahead and test the wheels fate; if that's what you're into... | |
Set-QADUser -Identity $ADTermUser -Title '' -Office '' -PhoneNumber '' -MobilePhone '' -Pager '' -Fax '' -Description $Description -Confirm:$false | |
Set-QADUser -Identity $ADTermUser -UserMustChangePassword $true -UserPassword $Password -Confirm:$false | |
Set-QADUser -Identity $ADTermUser -AccountExpires $Expire -Confirm:$false | |
Set-QADUser -Identity $ADTermUser -objectAttributes @{PrimaryGroupID='99999'} -Confirm:$false | |
# Remove Groups | |
$ADTermUser.MemberOf | Remove-QADGroupMember -Member $ADTermUser -Confirm:$false | |
# Hide the user from the GAL and set forwarding of the user's mail to the manager. | |
Set-Mailbox -Identity $TermUser -hiddenfromaddresslistsenabled $True -ForwardingAddress $TermUserManager | |
# Set out of office reply aka Let's people who who got canned. | |
Set-MailboxAutoReplyConfiguration -Identity $TermUser -autoreplystate enabled -InternalMessage "Thank you for your email, unfortunately the person you have contacted is no longer with LUA." -ExternalMessage "Thank you for your email, unfortunately the person you have contacted is no longer with LUA, however your email has been forwarded to someone who can help you." | |
# Give Manager Full Access | |
Add-MailboxPermission $TermUser -User $TermUserManager -AccessRights fullaccess | |
# Punches their mail clients and phones in the face. | |
Set-CASMailbox -Identity $TermUser -OwaEnabled $false -EcpEnabled $false -EwsEnabled $false -MapiEnabled $false -ImapEnabled $false -PopEnabled $false -ActiveSyncEnabled $false -Confirm:$false | |
Set-CASMailbox -Identity $TermUser -MapiBlockOutlookRpcHttp $true -EwsAllowMacOutlook $false -EwsAllowOutlook $false -EwsAllowEntourage $false -Confirm:$false | |
# Banishes their phones. | |
Get-ActivesyncDevice -Mailbox $TermUser | Remove-ActiveSyncDevice -Confirm:$false | |
# Send an email that the termination is done. | |
$Body = "AD Termination for $TermUser has completed. <br>" | |
$Body += "Script Name: Auto_Terminate_User.ps1 <br>" | |
$Body += "Running on: $Env:COMPUTERNAME <br>" | |
$Body += "<hr>" | |
$Body += "<b> USER REPORT </b><br>" | |
$Body += Get-QADUser -Identity $TermUser | Select-Object -Property DisplayName,AccountIsDisabled,UserMustChangePassword,PrimaryGroupId,Manager,AccountExpirationStatus | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER MAILBOX REPORT </b><br>" | |
$Body += Get-CASMailbox $TermUser | Select-Object DisplayName,MapiEnabled,MAPIBlockOutlookRpcHttp | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER DEVICE REPORT - <i>Should be empty</i></b><br>" | |
$Body += Get-ActivesyncDevice -Mailbox $TermUser | Select-Object DeviceType,DeviceId,DeviceUserAgent | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TO TERM </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermLog.csv" | ConvertTo-Html | |
$Body += "<hr>" | |
$Message.Body = ConvertTo-Html -Head $Style -Body $Body | |
$SMTP.Send($Message) | |
} | |
# Clean Up - This part checks to make sure the user account was terminated correctly and enable MAPI on the mailbox. | |
# If the user is a member of Disabled Users, account is disabled, mapi is disabled on mailbox, and it's been more than 1 day. | |
IF (($RunTerm -eq "YES") -and ((Get-QADObject -Identity $TermUser | Get-QADMemberOf) -match "Disabled Users") -and ((Get-QADObject -Identity $TermUser).get_AccountIsDisabled() -eq $true) -and ($Date.AddDays(1) -gt ((Get-QADObject -Identity $TermUser).get_ModificationDate())) -and ((Get-CASMailbox -Identity $TermUser).MAPIEnabled -eq $false)) { | |
# Enable MAPI | |
Set-CASMailbox -Identity $TermUser -MapiEnabled $true -MapiBlockOutlookRpcHttp $false -Confirm:$false | |
# Start Moving The Mailbox | |
New-MoveRequest -Identity $TermUser -BadItemLimit 5 -TargetDatabase "DISABLEDDATABASE" -Confirm:$false | |
# Send Email | |
$Body = "Clean up on $TermUser is done.<br>" | |
$Body += "MAPI has been enabled on mailbox.<br>" | |
$Body += "Mailbox is moving to DISABLEDDATABASE Database.<br>" | |
$Body += "Please check Exchange move requests for errors moving the mailbox. <br>" | |
$Body += "Script Name: Auto_Terminate_User.ps1 <br>" | |
$Body += "Running on: $Env:COMPUTERNAME <hr>" | |
$Body += "<b> USER MAILBOX REPORT </b><br>" | |
$Body += Get-CASMailbox $TermUser | Select-Object DisplayName,MapiEnabled,MAPIBlockOutlookRpcHttp | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER REPORT </b><br>" | |
$Body += Get-QADUser -Identity $TermUser | Select-Object -Property DisplayName,AccountIsDisabled,UserMustChangePassword,PrimaryGroupId,Manager,AccountExpirationStatus | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TO TERM </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermUsers.csv" | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TERMLOG </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermLog.csv" | ConvertTo-Html | |
$Message.Body = ConvertTo-Html -Head $Style -Body $Body | |
$SMTP.Send($Message) | |
} | |
# If the account is not in the disabled users or disabled run this | |
ELSEIF (($RunTerm -eq "YES") -and ((Get-QADObject -Identity $TermUser | Get-QADMemberOf) -notmatch "Disabled Users") -or ((Get-QADObject -Identity $TermUser).get_AccountIsDisabled() -eq $false)) { | |
# Send Email | |
$Body = "Clean up on $TermUser is not done. <br><br>" | |
$Body += "Either account is not terminated correctly or is not disabled.<hr>" | |
$Body += "<b> USER REPORT </b><br>" | |
$Body += Get-QADUser -Identity $TermUser | Select-Object -Property DisplayName,AccountIsDisabled,UserMustChangePassword,PrimaryGroupId,Manager,AccountExpirationStatus | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER MAILBOX REPORT </b><br>" | |
$Body += Get-CASMailbox $TermUser | Select-Object DisplayName,MapiEnabled,MAPIBlockOutlookRpcHttp | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TO TERM </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermUsers.csv" | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TERMLOG </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermLog.csv" | ConvertTo-Html | |
$Message.Body = ConvertTo-Html -Head $Style -Body $Body | |
$SMTP.Send($Message) | |
} | |
# If the account hasn't been terminated for more than one day run this. | |
ELSEIF (($RunTerm -eq "YES") -and ($Date.AddDays(1) -lt ((Get-QADObject -Identity $TermUser).get_ModificationDate()))) { | |
# Send Email | |
$Body = "Clean up on $TermUser is not done. <br><br>" | |
$Body += "24 hours have not passed since termination.<hr>" | |
$Body += "<b> USER TO TERM </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermUsers.csv" | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TERMLOG </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermLog.csv" | ConvertTo-Html | |
$Message.Body = ConvertTo-Html -Head $Style -Body $Body | |
$SMTP.Send($Message) | |
} | |
# Otherwise, there's nothing to do. | |
ELSE {$RunTerm = "NO"} | |
IF ($RunTerm -eq "NO") { | |
<# Send Email | |
$Body = "NOTHING TO DO!<hr>" | |
$Body += "<b> USER TO TERM </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermUsers.csv" | ConvertTo-Html | |
$Body += "<hr>" | |
$Body += "<b> USER TERMLOG </b><br>" | |
$Body += Import-Csv "\\SERVER\User Termination Log\TermLog.csv" | ConvertTo-Html | |
$Message.Body = ConvertTo-Html -Head $Style -Body $Body | |
$SMTP.Send($Message) | |
#> | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment