elm-toolbox

1.0.14

functions/Disable-User.ps1

                                Function Disable-User {

    <#

    .SYNOPSIS

        This script will carry out some basic actions against an AD User to disable their access and process them as a leaver

        Actions include:

        DEFAULT

        - Disable AD Account

        - Change password

        - Set Mail Nickname (so that hide from GAL works)

        - Hide from GAL

        - Clear Title, Manager, Department and Company Fields

        - Set description to "Disabled: (date & time)"

        - Remove from all groups

        - Move to leaver OU

        - Set Mailbox to shared

        OPTIONAL

        - Forward emails

        - Delegate mailbox

    .NOTES

        Name: Disable-User

        Author: Elliott Marter

        TO ADD

        Login to EOL and add a check for this

        Set mailbox to shared

        Forward emails

        Delegate emails

        Remove Licences

    .EXAMPLE

        Disable-User -Username john.smith -Forward mr.boss@contoso.com -Delegate mr.boss@contoso.com

    .LINK

        https://www.powershellgallery.com/profiles/elliottmarter

    #>

        [CmdletBinding()]

        param(

            [Parameter(Position=0,mandatory=$true)]

            [string]  $Username,

            [string]  $Forward,

            [string]  $Delegate

        )

    $logfile = "$env:SystemDrive\elm_tools_logs\leaver_logs\$Username.txt"

    New-Item $logfile -Force -Confirm:$false | Out-Null

    Write-Output "logfile is here $logfile"

    # Call function to ask for Leaver OU

    $LeaverOU = (Select-ADOrganizationalUnit -Message "Select Leaver OU").DistinguishedName

    # Quick try catch to validate the username and confirm run

    try {

        $User = Get-ADUser -Identity $Username

        $Confirm = Read-Host "$($User.UserPrincipalName) will be disabled, Do you wish to contiune? Y/N"

        }

    catch {

        throw "ERROR: Could not find $($Username), please try again"

        }

    # Check if connected to EOL and if not then initiate a connection

    if ((Get-ConnectionInformation) -eq $null) {

        Connect-ExchangeOnline -ErrorAction SilentlyContinue

        }

    If ($Confirm -eq "Y") {

        try {

            # Disable Account

            Disable-ADAccount $User -Confirm:$false

            Write-Output "$User account has been disabled"

            Write-Log "$User account has been disabled" -logfile $logfile

            # Set New Password

            $Pass = (iwr https://www.dinopass.com/password/strong -UseBasicParsing).Content

            Set-ADAccountPassword -Identity $User -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$Pass" -Force)

            Write-Output "Password has been reset to $Pass"

            Write-Log "Password has been reset to $Pass" -logfile $logfile

            # Set MailNickName

            Set-ADObject $User -Replace @{MailNickName=$user.SamAccountName}

            Write-Output "Mailnickname set to $($user.SamAccountName)"

            Write-Log "Password has been reset to $Pass" -logfile $logfile

            # Hide From GAL

            Set-ADObject $User -Replace @{msExchHideFromAddressLists=$true}

            Write-Output "$($user.SamAccountName) hidden from GAL"

            Write-Log "$($user.SamAccountName) hidden from GAL" -logfile $logfile

            # Clear Title, Manager, Department and Company

            Set-ADUser $User -Title $null -Manager $null -Department $null -Company $null

            Write-Output "Title, Manager, Department and Company has been cleared"

            Write-Log "Title, Manager, Department and Company has been cleared" -logfile $logfile

            # Set description to date disabled

            $Description = "Disabled: $((get-date).ToString())"

            Set-ADUser $User -Description $Description

            Write-Output "Descripton set to $Description"

            Write-Log "Descripton set to $Description" -logfile $logfile

            # Remove From all groups

            $Groups = Get-AdPrincipalGroupMembership -Identity $User.SamAccountName | Where-Object -Property Name -Ne -Value 'Domain Users'

            Write-Output "$($user.SamAccountName) is being removed from the following groups"

            Write-Output $($Groups.Name)

            Write-Log "$($user.SamAccountName) is being removed from the following groups" -logfile $logfile

            Write-Log "$($Groups.Name)" -logfile $logfile

            $Groups | Remove-AdGroupMember -Members $User -Confirm:$false 

            # Move to Leaver OU

            Move-ADObject $User -TargetPath $LeaverOU

            Write-Output "$($user.SamAccountName) has been moved to $LeaverOU"

            Write-Log "$($user.SamAccountName) has been moved to $LeaverOU"  -logfile $logfile

            # Set Mail forwarding

            If ($Forward) {

                Set-Mailbox -Identity $User.UserPrincipalName -DeliverToMailboxAndForward $true -ForwardingSMTPAddress "$Forward"

                Write-Output "Mail has been forwarded to $Forward"

                Write-Log "Mail has been forwarded to $Forward" -logfile $logfile

                }

            # Set Mail delegation

            If ($Delegate) {

                Add-MailboxPermission -Identity $User.UserPrincipalName -User $Delegate -AccessRights FullAccess -InheritanceType All

                Write-Output "Mail has been delegated to $Delegate"

                Write-Log "Mail has been delegated to $Delegate" -logfile $logfile

            }

        }

        catch {

            Write-Output $_.Exception.Message | Tee-Object $logfile -Append

            throw $_

        }

    }   

}