none
Pull AD Users by Employee number from csv then remove perform functions RRS feed

  • Question

  • I want to make a PowerShell script to pull AD users from a csv based off the "employeeNumber" attribute and then perform the following:

    1. The script checks if the user is already disabled. If disabled, skip that user.

    2. Ask the technician for a ticket number.

    3. Change the description to read "Disabled <timestamp> Ticket #<ticket number>".

    4. Remove all groups.

    5. Move the user to a disabled users OU.

    I have most of it, I think, but I'm not sure if the $SamAccountName variable will work or how to define it based off the first part that queries the AD object from the employeeNumber.

    $Ticket = Read-Host 'What is the Ticket #?'
    $Users = Import-Csv C:\Powershell\terminationlist.csv
    
    ForEach ($User in $Users) {
      $EmployeeNumber = $User.EmployeeNumber
      get-ADUser -Filter {EmployeeNumber -eq $EmployeeNumber}
      Disable-ADAccount $SamAccountName
      Set-ADUser $SamAccountName -Description "Disabled $(get-date) Ticket # $Ticket"
      Move-ADObject $SamAccountName -TargetPath 'OU=Disabled Users,OU=Org Users,DC=Company,Dc=com'
    }

    Monday, June 19, 2017 11:07 PM

Answers

  • Thank you! 

    After playing around with it some more and pulling the DN, I was able to get the entire thing to work! Here is the finished script:

    $Ticket = Read-Host 'What is the Ticket #?'
    $Users = Import-Csv C:\Powershell\terminationlist.csv
    
    ForEach ($User in $Users) {
      $EmployeeNumber = $User.EmployeeNumber
      $ADUser = get-ADUser -Filter {EmployeeNumber -eq $EmployeeNumber}| Select SamAccountName,DistinguishedName,enabled
      If ($ADUSER.enabled) {
          Disable-ADAccount $ADUser.SamAccountName
          Set-ADUser $ADUser.SamAccountName -Description "Disabled $(get-date) Ticket # $Ticket"
          Move-ADObject -Identity $ADUser.DistinguishedName -TargetPath 'OU=Disabled Users,OU=Org Users,DC=Company,Dc=com'
          Get-ADPrincipalGroupMembership -Identity $ADUser.SamAccountName | where {$_.Name -notlike "Domain Users"} | % {Remove-ADPrincipalGroupMembership -Identity $ADUser.SamAccountName -MemberOf $_ -Confirm:$false}
          }
    
    }

    This doesn't have any error checking, but does the basic function I was looking for. You all have been very helpful.

    • Marked as answer by FFwarriorz Tuesday, June 20, 2017 8:11 PM
    Tuesday, June 20, 2017 8:11 PM

All replies

  • Is the SamAccountName in the CSV file?


    \_(ツ)_/

    Monday, June 19, 2017 11:37 PM
  • Why do you need a ticket number or a person to intervene for each user to be disabled? Seems like this could be

    done very simply and still have to same effect.

    Tuesday, June 20, 2017 8:25 AM
  • The immediate problem is that the Get-ADUser  command as used will just display the information on the screen.

    You need to save the SamAccountName to be used later in the script.

    Try it like this.


    $Ticket = Read-Host 'What is the Ticket #?' $Users = Import-Csv C:\Powershell\terminationlist.csv ForEach ($User in $Users) { $EmployeeNumber = $User.EmployeeNumber $SamAccountName = get-ADUser -Filter {EmployeeNumber -eq $EmployeeNumber}| Select SamAccountName Disable-ADAccount $SamAccountName Set-ADUser $SamAccountName -Description "Disabled $(get-date) Ticket # $Ticket" Move-ADObject $SamAccountName -TargetPath 'OU=Disabled Users,OU=Org Users,DC=Company,Dc=com' }


    With this you have to make some assumptions

         The Employee number is unique

         All Employee numbers in the CSV have a match in AD

    You may want to include some error checking in your script.


    • Edited by JRussell97 Tuesday, June 20, 2017 1:12 PM
    Tuesday, June 20, 2017 1:05 PM
  • Thanks JRussel97,

    I think that will solve a big part of my issue. How do you suggest I do error checking. I have not had experience doing that yet.

    This process is for user termination upon a ticket submission from HR. The employee number is unique, but of course, could have been mis-typed when the user was created. The only info given from HR is their full name, job title, and employee number. The ticket number prompt is for the tech to enter the appropriate ticket number that is to be inserted into the user description.

    The 2 pieces still missing are for the script to check if the object is already disabled and to remove all groups from the user. I found something that I changed a bit to fit my script to remove groups but I wasn't sure if it would work.

    Get-ADPrincipalGroupMembership -Identity $SamAccountName | where {$_.Name -notlike "Domain Users"} | % {Remove-ADPrincipalGroupMembership -Identity $SamAccountName -MemberOf $_ -Confirm:$false}

    The other piece I wanted to use was:

    if ($user.enabled -eq $true)

    But I don't know where to put it for it to work. I need the script to check if the user is already disabled, and if it is, skip it completely for all steps.


    • Edited by FFwarriorz Tuesday, June 20, 2017 2:28 PM
    Tuesday, June 20, 2017 2:21 PM
  • Hi,

    You do not need to check the user account is disabled. Assuming that your disabled user accounts are already moved to the desired OU. In your current script, just filter off the disabled account.

    Tuesday, June 20, 2017 2:34 PM
  • Thank you Home-Net,

    The issue with not checking if it's disabled is I don't want the script to change the user account description if it's already disabled. It is not guaranteed that the account was already moved to the correct OU. For accountability reasons, I need to leave the account untouched if it was already disabled before I run this script.

    Tuesday, June 20, 2017 4:13 PM
  • $Ticket = Read-Host 'What is the Ticket #?' $Users = Import-Csv C:\Powershell\terminationlist.csv The level of error checking depends on how much you trust the data you have.

    You may want to check out the Try/Catch construct in Powershell.

    To check for enabled or not you will have to change the script again. You need to pull that data when you get the user.

    Try this

    $Ticket = Read-Host 'What is the Ticket #?'
    $Users = Import-Csv C:\Powershell\terminationlist.csv
    
    ForEach ($User in $Users) {
      $EmployeeNumber = $User.EmployeeNumber
      $ADUser = get-ADUser -Filter {EmployeeNumber -eq $EmployeeNumber}| Select SamAccountName,enabled
      If ($ADUSER.enabled) {
          Disable-ADAccount $ADUser.SamAccountName
          Set-ADUser $ADUser.SamAccountName -Description "Disabled $(get-date) Ticket # $Ticket"
          Move-ADObject $ADUser.SamAccountName -TargetPath 'OU=Disabled Users,OU=Org Users,DC=Company,Dc=com'
          }
    
    }
    
    I do not know about your code to remove the members.

    Tuesday, June 20, 2017 5:54 PM
  • Thank you! 

    After playing around with it some more and pulling the DN, I was able to get the entire thing to work! Here is the finished script:

    $Ticket = Read-Host 'What is the Ticket #?'
    $Users = Import-Csv C:\Powershell\terminationlist.csv
    
    ForEach ($User in $Users) {
      $EmployeeNumber = $User.EmployeeNumber
      $ADUser = get-ADUser -Filter {EmployeeNumber -eq $EmployeeNumber}| Select SamAccountName,DistinguishedName,enabled
      If ($ADUSER.enabled) {
          Disable-ADAccount $ADUser.SamAccountName
          Set-ADUser $ADUser.SamAccountName -Description "Disabled $(get-date) Ticket # $Ticket"
          Move-ADObject -Identity $ADUser.DistinguishedName -TargetPath 'OU=Disabled Users,OU=Org Users,DC=Company,Dc=com'
          Get-ADPrincipalGroupMembership -Identity $ADUser.SamAccountName | where {$_.Name -notlike "Domain Users"} | % {Remove-ADPrincipalGroupMembership -Identity $ADUser.SamAccountName -MemberOf $_ -Confirm:$false}
          }
    
    }

    This doesn't have any error checking, but does the basic function I was looking for. You all have been very helpful.

    • Marked as answer by FFwarriorz Tuesday, June 20, 2017 8:11 PM
    Tuesday, June 20, 2017 8:11 PM