elm-toolbox

1.0.18

functions/Disable-User.ps1

                                Function Disable-User {

    <#

    .SYNOPSIS

        This script will carry out some basic actions against an AD User to disable their access and process them as a leaver

        Actions include:

        DEFAULT

        - Disable AD Account

        - Change password

        - Set Mail Nickname (so that hide from GAL works)

        - Hide from GAL

        - Clear Title, Manager, Department and Company Fields

        - Set description to "Disabled: (date & time)"

        - Remove from all groups

        - Move to leaver OU

        - Set Mailbox to shared

        - Forward emails

        - Delegate emails

        OPTIONAL

        - Forward emails

        - Delegate mailbox

    .NOTES

        Name: Disable-User

        Author: Elliott Marter

        TO ADD

        Remove Licences

    .EXAMPLE

        Disable-User -Username john.smith -Forward mr.boss@contoso.com -Delegate mr.boss@contoso.com

    .LINK

        https://www.powershellgallery.com/profiles/elliottmarter

    #>

        [CmdletBinding()]

        param(

            [Parameter(Position=0,mandatory=$true)]

            [string]  $Username,

            [string]  $Forward,

            [string]  $Delegate

        )

        # Quick try catch to validate the username and confirm run

    try {

        $User = Get-ADUser -Identity $Username -Properties *

        }

    catch {

        throw "ERROR: Could not find $($Username), please try again"

        }

    $logfile = "$env:SystemDrive\elm_tools_logs\leaver_logs\$Username.txt"

    New-Item $logfile -Force -Confirm:$false | Out-Null

    Write-Output "logfile is here $logfile"

    # Call function to ask for Leaver OU

    if ($LeaverOU -eq $null) {

    $LeaverOU = (Select-ADOrganizationalUnit -Message "Select Leaver OU").DistinguishedName

    }

    $Confirm = Read-Host "$($User.Name) ($($User.UserPrincipalName)) will be disabled, Do you wish to contiune? Y/N"

    If ($Confirm -eq "Y") {

        # Disable Account

        Disable-ADAccount $User -Confirm:$false

        Write-Output "$($user.SamAccountName) account has been disabled" | Tee-Object $logfile -Append

        # Set New Password

        $Pass = (iwr https://www.dinopass.com/password/strong -UseBasicParsing).Content

        Set-ADAccountPassword -Identity $User -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$Pass" -Force)

        Write-Output "Password has been reset to $Pass" | Tee-Object $logfile -Append

        # Clear Title, Manager, Department and Company

        $Manager = (Get-Aduser -Identity ((Get-ADUser $User -Properties *).Manager)).Name

        Set-ADUser $User -Title $null -Manager $null -Department $null -Company $null

        Write-Output "Title = $($User.Title)" | Tee-Object $logfile -Append

        Write-Output "Manager = $Manager" | Tee-Object $logfile -Append

        Write-Output "Department = $($User.Department)" | Tee-Object $logfile -Append

        Write-Output "Company = $($User.Company)" | Tee-Object $logfile -Append

        Write-Output "Title, Manager, Department and Company fields have now been CLEARED" | Tee-Object $logfile -Append

        # Set description to date disabled

        $Description = "Disabled: $((get-date).ToString())"

        Set-ADUser $User -Description $Description

        Write-Output "Descripton set to $Description" | Tee-Object $logfile -Append

        # Remove From all groups

        $Groups = Get-AdPrincipalGroupMembership -Identity $User.SamAccountName | Where-Object -Property Name -Ne -Value 'Domain Users'

        Write-Output "$($user.SamAccountName) is being removed from the following groups" | Tee-Object $logfile -Append

        Write-Output $($Groups.Name) | Tee-Object $logfile -Append

        $Groups | Remove-AdGroupMember -Members $User -Confirm:$false

    try {

        # Set MailNickName & msExchHideFromAddressLists

        Set-ADObject $User -Replace @{MailNickName=$user.SamAccountName}

        Write-Output "Mailnickname set to $($user.SamAccountName)" | Tee-Object $logfile -Append

        Set-ADObject $User -Replace @{msExchHideFromAddressLists=$true}

        Write-Output "$($user.SamAccountName) hidden from GAL" | Tee-Object $logfile -Append

        }

    catch {

        Write-Output "Unable to set MailNickName & msExchHideFromAddressLists attribute (AD Schema may not have Exchange attributes??)"

        }

        # Move to Leaver OU

        Move-ADObject $User -TargetPath $LeaverOU

        Write-Output "$($user.SamAccountName) has been moved to $LeaverOU" | Tee-Object $logfile -Append

        # Set Mailbox to shared

        If ($Forward -or $Delegate) {

        Connect-ExchangeOnline

        Set-Mailbox -Identity $User.UserPrincipalName -Type Shared

        }

        # Set Mail forwarding

        If ($Forward) {

            Set-Mailbox -Identity $User.UserPrincipalName -DeliverToMailboxAndForward $true -ForwardingSMTPAddress "$Forward"

            Write-Output "Mail has been forwarded to $Forward" | Tee-Object $logfile -Append

        }

        # Set Mail delegation

        If ($Delegate) {

            Add-MailboxPermission -Identity $User.UserPrincipalName -User $Delegate -AccessRights FullAccess -InheritanceType All

            Write-Output "Mail has been delegated to $Delegate" | Tee-Object $logfile -Append

        }

    }

}