Staff Separation Tool
I created the below PowerShell script to process staff who have left the organisation. It does a number of things including cleaning up the AD account, moving personal network drives, disabling Exchange mailboxes and Lync accounts, and removing Terminal Server profiles.
mode con: lines=70 $a = (Get-Host).UI.RawUI $a.WindowTitle = " Staff Separation Tool" $a.BackgroundColor = "darkcyan" $a.ForegroundColor = "white" (get-host).privatedata.errorforegroundcolor="yellow" (get-host).privatedata.errorbackgroundcolor="darkcyan" Clear-Host Import-Module -DisableNameChecking activedirectory #Set-ExecutionPolicy unrestricted -force $nl = [Environment]::NewLine Write-Host "Welcome to the Staff Separation Tool - Author Nick Beare $nl This tool can be used during the staff separation process to perform the following tasks. Do NOT run this tool against staff on long term leave. $nl * Disable a separated staff member's AD user account. $nl * Strip their AD user account of all AD group membership. $nl * Move their AD user account to the Separated Staff OU. $nl * Remove their H drive from \\HOSTNAME\Users$\ $nl * Remove their user profile from both Terminal Servers. $nl * Disable their Exchange mailbox and Unified Messaging. $nl * Remove their Lync account." $nl Start-Transcript -Path \\hostname\users$\separated_staff_h_drives\ps_transcripts.txt -Append $nl $CT = Read-Host "Please enter the HelpMaster Reference number for the staff member you would like to process eg CT123456" $CT = [string]::join("", $CT) $nl $target = Read-Host "Please enter the user ID (eg usernamex) of the separated staff member you would like to process" $nl $target2 = Read-Host "Please confirm the user ID of the separated staff member you would like to process" if ($target -ne $target2) { $nl Write-Host "The user IDs you have entered do not match. Program terminating." $nl break } else { $fullname = get-aduser -identity $target -property displayname | select-object -expandproperty displayname $nl Write-Host "The Staff Separation Tool is about to process $target - $fullname. Press any key to continue OR click the cross on the top right hand corner of this window to exit." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") # Recording the user's AD membership echo "Please see below the former AD membership of $target" >> \\HOSTNAME\users$\separated_staff_h_drives\ad_membership.txt Get-ADPrincipalGroupMembership -identity $target | select-object -property "name" | out-file \\HOSTNAME\users$\separated_staff_h_drives\ad_membership.txt -append $nl # Assign the CT reference number to the description field of the separated AD user account. Write-Host "Setting the description field of $target to $CT..." set-aduser -identity $target -replace @{description=$CT} $nl #Disable the user's account. Write-Host "Disabling $target..." set-aduser -identity $target -Enabled $false $nl # Move the user to the separated staff OU. Write-Host "Moving $target to the Separated Staff OU..." $guid = get-aduser -Identity $target | select-object -expandproperty objectguid move-adobject -identity $guid -targetpath "OU=Separated Staff,OU=Users,DC=BHP,DC=corporate" $nl # Remove all AD Group Membership except Domain Users Write-Host "Stripping $target of all AD group membership. The user's original group membership has been appended to \\HOSTNAME\users$\separated_staff_h_drives\ad_membership.txt" foreach ($g in (get-aduser -identity $target -properties memberof).memberof) { remove-adgroupmember -identity $g -member $target -Confirm:$false } $nl # Append today's date to the beginning of the name of the moved H drive. $dated = get-date -f ddMMyyyy $newloc = '\\HOSTNAME\users$\separated_staff_h_drives\' $newloc2 = $newloc + $target $newerloc = $newloc + $dated + $target # Move the user's H drive from the file cluster Write-Host "Moving the H drive belonging to $target to $newerloc" $h_drive = get-aduser -Identity $target -property homedirectory | select-object -expandproperty homedirectory move-Item -Path $h_drive -destination \\HOSTNAME\users$\separated_staff_h_drives\ # Rename the folder rename-item -path $newloc2 -newname $newerloc $nl # Move the user's profiles from the Terminal Servers $ts1 = '\\TERMINALSERVER1\c$\users\' + $target $ts2 = '\\TERMINALSERVER2\c$\users\' + $target Write-Host "Taking ownership of the user's profiles on both terminal servers. This may take a while, please wait..." takeown /a /r /d Y /f $ts1 2>&1 | Out-Null takeown /a /r /d Y /f $ts2 2>&1 | Out-Null $nl Write-Host "Delete the below terminal server profile path?" cmd /C "rmdir /S $ts1" $nl Write-Host "Delete the below terminal server profile path?" cmd /C "rmdir /S $ts2" $nl # Disable the user's mailbox Write-Host "Disabling mailbox belonging to $target. The mailbox will be automatically deleted in 30 days..." Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin disable-Mailbox -Identity $target -Confirm:$false $nl # Disable EUM write-host "Disabling Exchange Unified Messaging for $target..." Disable-UMMailbox -identity $target -Confirm:$false $nl # Remove the user from Lync $userid = get-childitem env:username | Select-Object -ExpandProperty value Write-Host "Removing $target from Lync, this may take a moment, please wait..." $session = new-pssession -connectionuri "https://LYNC_URI/ocspowershell" -credential $userid import-pssession $session disable-CsUser -Identity $fullname $nl Write-Host "The Staff Separation Tool has finished running." } $nl stop-transcript
Below is the contents of the bat file that is used to execute the above PowerShell script. Note that '-executionpolicy bypass' prevents any annoying execution prompts.
@ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file "\\HOSTNAME\staff_separation.ps1"
@ TIMEOUT /T 30
Back