Monday, October 12, 2009

Powershell - Terminate Employee in Active Directory

Here's a quick little script to terminate an employee in Active Directory. I'm using the quest AD Powershell command-lets in this script. This uses powershell to disable the AD Account, Change the AD password to a random password, set the description of the account and remove all the group membership from the account.

Input text file looks like this:

Powershell Script:

# ---------------------------
# Add Quest AD Snapin
# ---------------------------
if(-not (Get-PSSnapin | where { $_.Name -match 'quest.activeroles.admanagement' })) {
add-PSSnapin quest.activeroles.admanagement
# Load Assembly so we can easily generate a random password.[Reflection.Assembly]::LoadWithPartialName(”System.Web”)

$s = get-credential
connect-qadservice -credential $s -Service ""

Import-Csv "employeeIDList.txt" | foreach {
$user = get-QADObject -SearchRoot '' -Type User -ldapFilter "(employeeID=$_.empID)"
if($user) {
write-host "Disabling " $user.samAccountName
# generate random password
$ranpassword = [System.Web.Security.Membership]::GeneratePassword(10,2)
# Disable User Account
$user | Disable-QADUser
# Set User's Description to Terminated and set a random password
$user | set-QADUser -Description "Terminated" -UserPassword $ranpassword
# Remove User from all Groups (does not include domain users)
$user.memberof | Get-QADGroup | Remove-QADGroupMember -member $user
# Move user to Terminated OU
$user | Move-QADUser -NewParentContainer ''
} else {
write-host $_.empID "not found in Active Directory"
$user = $False

No comments:

Post a Comment