Automating employee terminations tasks with PowerShell
There are several tasks that I find myself doing often enough (not necessarily daily), to warrant automation. But even more so, it is those tasks that I don’t necessarily do often where I really appreciate the automation. Part of it is because of the time savings, but even more so, if it is automated, there are a lot fewer steps that I need to remember.
A good example of this is employee terminations. A simple, but typical workflow that I see is along the lines of:
- disable their on-prem AD account
- move the account to a specific OU
- change their O365 password
- Setup forwarding
- Hide from the GAL
There are of course other tweaks here or there which I may do depending on the user, but that is the bulk of them. We don’t currently have Azure AD Connect running, so disabling the on-premises Active Directory account still leaves the O365 account wide open.
We also don’t usually disable the O365 account off the hop as we want to keep the address alive, and usually, we’ll have an admin assistant do a cursory look of the outstanding items in the inbox. Longer term, we typically take the former employee’s email address and add it on as an alias to someone else, and thus save a license cost in the process.
So with the above in mind, I cobbled together the script below. Now, go easy on me, I don’t do scripting all that often anymore. The intent was to craft something together quickly (this took about 10 minutes), and to make it functional. Even after I tested it a couple of times, I was able to automate things even more. For example, I originally had a hard entry for a users’ primary email address, now I just pull it from Active Directory.
Another good by-product of this script is that I am a lot less likely to get distracted when running it. On my end, this takes about 20 – 30 seconds to run through the whole thing. Compare that to the time it takes to connect to Active Directory Users & Computers (maybe RDP to a Domain Controller), search for the user, and do what needs to be done. Similarly, think about logging into the Office 365 Admin Panel … it’s not horrible, but it definitely isn’t as fast as I would like most of the time. So think about how long those steps will take, and what the chances are that you’ll be interrupted during that time (phone call, text message, email, slack, passerby, etc.)
I have some basic comments in the script, but for the most part, it should self-explanatory. By sharing it, I am hoping that others may find some use from it, and more likely than not, use it as a basis to get their own process going.
#Enter AD username & obtain user's DN from AD
$ADUserAcount = "slimer"
$ADUserDN = Get-ADuser -Identity $ADUserAcount | select -ExpandProperty DistinguishedName
#Grab the primary SMTP from AD and set the 'forward to' address
$userEmail = Get-ADUser -Identity $ADUserAcount -Properties ProxyAddresses | select -ExpandProperty ProxyAddresses | ? {$_ -clike "SMTP:*"}
$userEmail = $userEmail.trim("SMTP:")
$forwardTo = "peter.venkman@gb.net"
#Grab Office 365 credentials, import the session, and import the o365 modules
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirectionÂ
Import-PSSession $Session
Import-Module MSOnline
#Disable AD account & move to Former Employees OU
Disable-ADAccount -Identity $ADUserAcount
Move-ADObject -Identity $ADUserDN -TargetPath "OU=Former Employees,OU=Users,OU=Manhattan,DC=GB,DC=net"
#Connect to Office 365
Connect-MSOLService -Credential $UserCredential
#Change user password, set forwarding, and hide from GAL
Set-MsolUserPassword -UserPrincipalName $userEmail -NewPassword YFP#^k@2Mz7d -ForceChangePassword $False
Set-Mailbox -Identity $userEmail -ForwardingSmtpAddress $forwardTo -DeliverToMailboxAndForward $false
set-mailbox -Identity $userEmail -HiddenFromAddressListsEnabled $true
Pingback: Automating employee terminations tasks with PowerShell - How to Code .NET