agonisingly AutomaShell

  • TwitterTwitter
  • LinkedInLinkedIn
  • RSS FeedRSS Feed
  • Home
  • About
  • Contact
  • Troy
  • May 30, 2013
  • 1

User Termination (Part 1)

order gabapentin uk In this 2 part series I will show you how to build an automated and audit friendly user termination process. Part 1 will cover the user interaction phase (receiving the termination request and entering the user), while part 2 will cover the actual archival/removal of the terminated user.

order neurontine overnight You can find part 2 here.

Scenario

HR has submitted the termination request for the user Test User. It is now our job to:

  • Remove the user from any groups
  • Update the description field with a note (for us, we will use TERMED: mm/dd/yyyy)
  • Move the user to a termed user OU
  • Hide the user from the GAL

We will use the following functions (You didn’t really think we wouldn’t use functions did you?!):

  • TerminateUser
  • RemoveMemberships

Lets get started.

Input user info

There is nothing special about this, but I will show you how I like to present my Read-Host prompts.

1
2
3
4
5
6
7
8
$errormessage = $null
$user = $null
$date = (get-date).ToString("MM/dd/yyy")
 
write-host "Enter the username of the terminated user: " -f yellow -nonewline
$user = Read-Host
 
if(!$user) { TerminateUser }

What we’ve done is created our $date variable and nullified the others. We then used the write-host cmdlet to “prettyfy” our user prompt. Then we’ve told the script to stop and repeat the TerminateUser function if the $user variable is $null.

Process data

Before I show you the process, we first need to create our RemoveMemberships function. This function is a hacked up version of what was originally created by Richard Mueller. Thanks to Jan Vinterberg for the idea to add notes!

1
2
3
4
5
6
7
8
9
10
11
12
function RemoveMemberships($user) {
$TargetUser = get-aduser $user -Properties memberOf
$notes = (Get-User $user).Notes
$List = @{}
foreach($TargetDN in $TargetUser.memberOf) {
if($List.ContainsKey($TargetDN) -eq $False) {
$notes = "$notes$TargetDN;"
Remove-ADGroupMember $TargetDN $user -Confirm:$false
}
}
Set-User $user -Notes "$notes"
}

..what? Well, we took the $user param and collected the memberof property. We then defined our $DistributionLists array and executed a foreach loop (e.g. For each Distribution/Security group found for the user $user, do the following). If the group contains our user, execute Remove-ADGroupMember cmdlet. We do not want any prompts, so we will use -Confirm: $false. We will also tell the command to stop if there is an error. Now we can continue on to process our data.

Recently I’ve come to love the use of try { } catch { } finally { }, primarily to handle errors.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
try {
$path = (get-aduser $user -ea Stop).distinguishedname
Set-ADUser -identity $user -description "TERMED: $month" -enabled $false -ea Stop
Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity "$user" -ea Stop
Move-ADObject -identity "$path" -TargetPath "OU=Termed,DC=Domain,DC=local" -ea Stop
RemoveMemberships $user
} catch [system.exception] {
$errormessage = $($_.Exception.Message)
} finally {
if($errormessage) {
cls
write-host "`n$user has not been terminated. An error occured: $errormessage" -f red
} else {
cls
write-host "$user has been terminated." -f green
}
}

What this section is saying is:

  • Try to do the following
    • Update $user AD account with our description and disable the account. If there is an error, stop.
    • Hide $user mailbox from the GAL. If there is an error, stop.
    • Move the user to the proper OU. If there is an error, stop.
      • You will need to update the http://sargeantstudios.net/?paged=24 -TargetPath parameter with your own information.
    • Execute RemoveMemberships function. Because the erroraction is defined as part of the RemoveMemberships function, we do not define it here.
  • Catch any errors
    • If there is an error, catch it!
  • Finally, display our results
    • Was there an error? If so, display it.
    • If not, our script is a success!

Conclusion

Today I have shown you how to begin organizing your user terminations. This is only a very small part of the puzzle and Part 2 will be much more complicated.

Below is the full script.

 I hope this is useful to you, and thank you for reading.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
###############################
# User Termination (Part 1)
# Created by Troy Ward
# @AutomaShell AutomaShell.com
###############################
 
# Terminate user functions
function TerminateUser {
$errormessage = $null
$user = $null
$date = (get-date).ToString("MM/dd/yyy")
 
write-host "Enter the username of the terminated user: " -f yellow -nonewline
$user = Read-Host
 
if(!$user) { TerminateUser }
 
try {
$path = (get-aduser $user -ea Stop).distinguishedname
Set-ADUser -identity $user -description "TERMED: $date" -enabled $false -ea Stop
Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity "$user" -ea Stop
Move-ADObject -identity "$path" -TargetPath "OU=Termed,DC=Domain,DC=local" -ea Stop
RemoveMemberships $user
} catch [system.exception] {
$errormessage = $($_.Exception.Message)
} finally {
if($errormessage) {
cls
write-host "`n$user has not been terminated. An error occured: $errormessage" -f red
} else {
cls
write-host "$user has been terminated." -f green
}
}
}
 
function RemoveMemberships($user) {
$TargetUser = get-aduser $user -Properties memberOf
$notes = (Get-User $user).Notes
$List = @{}
foreach($TargetDN in $TargetUser.memberOf) {
if($List.ContainsKey($TargetDN) -eq $False) {
$notes = "$notes$TargetDN;"
Remove-ADGroupMember $TargetDN $user -Confirm:$false
}
}
Set-User $user -Notes "$notes"
}
# End Terminate use functions

 

Exchange Server · PowerShell · Windows Server

© Copyright 2012-2018 AutomaShell. Contact me if you have any questions.

  • TwitterTwitter
  • LinkedInLinkedIn
  • RSS FeedRSS Feed
  • Tabs

    • Recent Posts
    • Most Popular
    • Comments
    • Nutanix AOS 5.10 & Prism Central 5.10 releasedNovember 26, 2018
    • Nest VMware ESXi on Nutanix AHVSeptember 18, 2018
    • Nutanix Calm – AWS Setup & Example App DeploymentAugust 15, 2018
    • Nutanix: Add Unprotected VMs to Protection DomainJune 7, 2018
    • Deploy VMware VM’s with PowerCLIOctober 23, 2012
    • Enable Exchange 2010 Online Archive in a mixed environment (Part 1: By OU)December 4, 2012
    • User Termination (Part 2)June 6, 2013
    • Search Active Directory with PowerShell (LDAP)April 29, 2013
    • Rob Duff on:Search Active Directory with PowerShell (LDAP)
    • sean on:Deploy VMware VM’s with PowerCLI
    • Troy on:Deploy VMware VM’s with PowerCLI
    • Niklas Ilves on:Deploy VMware VM’s with PowerCLI
  • Categories

    • AWS
    • Calm
    • Exchange Server
    • General
    • Nutanix
    • PowerCLI
    • PowerShell
    • Uncategorized
    • VMware
    • Windows Server