So today we've got a script that let's us dig into handing arguments from the command line, if statements and a little bit of active directory!
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
#make sure we've got a user to work with $user = $args[0] if ($args.count -lt 1) { $user = read-host "Please enter the username" } # make sure we've got the right user, not sure if out-gridview -passthru is the best option. $users = get-aduser -Filter "samaccountname -like '$user*'" if ($users.count -gt 1) { Write-host "More than one user found. Who are we after? (highlight a name and press enter)" $user = ($users | Out-GridView -PassThru).samaccountname } Set-Mailbox -Identity $user -HiddenFromAddressListsEnabled $true # Removed mailbox and user account $groups = Get-ADuser $user -Properties memberof | select -ExpandProperty memberof $groups | Remove-ADGroupMember -members $user Disable-ADAccount $user $disabledname = (Get-ADUser $user -Properties displayname).displayname + " (Disabled)" Set-aduser $user -DisplayName $disabledname # Tell the Manager $manager = Get-ADUser $user -Properties manager | %{(Get-AdUser $_.Manager -Properties EmailAddress).EmailAddress} $subject = "$user has been disabled." $body = "HI, $manager, $user has left the organisation. We've disabled the user account."
Send-MailMessage -From "helpful@helping.com" -to $manager -Subject $subject -Body $body -SmtpServer smtp.gmail.com
|
Let's run through this section by section
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
This line just loads a snapin for exchange it's nifty how powershell can be extended like this.
$user = $args[0]
So you can see we're setting $user to this $args[0] thing... this is how we tell our script to accept the "arguments" that came after the name of our script. If you save the whole script to c:\temp\terminate-user.ps1 you could call the script with an argument like this;
C:\temp\terminate-user.ps1 USERNAME
This would run the script with $user set to the argument "USERNAME". The [0] is just refering to the first argument handed to the script (yup you can hand more than one!)
if ($args.count -lt 1)
{
$user = read-host "Please enter the username"
}
This chunk is our first if statement. We're checking the .count of $args to see if there is Less Than (-lt) 1. IF there aren't any $args we ask the operator for a username using read host. IF $args.count is 1 or greater powershell knows to skip over the script block defined by the curly braces { and }
$users = get-aduser -Filter "samaccountname -like '$user*'"
Doing a similar thing here with $users... We're going out to Active Directory and finding all the accounts with a name like $user
if ($users.count -gt 1)
{
Write-host "More than one user found. Who are we after? (highlight a name and press enter)"
$user = ($users | Out-GridView -PassThru).samaccountname
}
Now we're checking $users to see if it has a .count Greater Than (-gt) 1. If it does we throw a warning and give the operator a grid of users to pick from. We do this so we can be sure that we're disabling the user we mean to.
Set-Mailbox -Identity $user -HiddenFromAddressListsEnabled $true
Hiding the user from the Global address list.
$groups = Get-ADuser $user -Properties memberof | select -ExpandProperty memberof
$groups | Remove-ADGroupMember -members $user
$groups | Remove-ADGroupMember -members $user
Removing the user from all AD groups by creating $groups populated with all the groups $user is a member of then piping $groups to remove-adgroupmember... Isn't powershell cool!?
Disable-ADAccount $user
$disabledname = (Get-ADUser $user -Properties displayname).displayname + " (Disabled)"
Set-aduser $user -DisplayName $disabledname
$disabledname = (Get-ADUser $user -Properties displayname).displayname + " (Disabled)"
Set-aduser $user -DisplayName $disabledname
This next bit disables the user... and then we add (Disabled) to the display name. This way anyone snooping through AD won't freak out when they discover staff that have departed.
$manager = Get-ADUser $user -Properties manager | %{(Get-AdUser $_.Manager -Properties EmailAddress).EmailAddress}
$subject = "$user has been disabled."
$body = "HI, $manager, $user has left the organisation. We've disabled the user account."
$subject = "$user has been disabled."
$body = "HI, $manager, $user has left the organisation. We've disabled the user account."
Send-MailMessage -From "helpful@helping.com" -to $manager -Subject $subject -Body $body -SmtpServer smtp.gmail.com
Lastly we have a little value add for the users manager. We send them a little email so they can be sure the account has been disabled. You'll have to jiggle that send-mailmessage command so it works in your environment.
No comments:
Post a Comment