Monday, October 12, 2009

Powershell - Terminate Employee in Active Directory

Here's a quick little script to terminate an employee in Active Directory. I'm using the quest AD Powershell command-lets in this script. This uses powershell to disable the AD Account, Change the AD password to a random password, set the description of the account and remove all the group membership from the account.

Input text file looks like this:
empID
08791
08792


Powershell Script:

# ---------------------------
# Add Quest AD Snapin
# ---------------------------
if(-not (Get-PSSnapin | where { $_.Name -match 'quest.activeroles.admanagement' })) {
add-PSSnapin quest.activeroles.admanagement
}
# Load Assembly so we can easily generate a random password.[Reflection.Assembly]::LoadWithPartialName(”System.Web”)

$s = get-credential
connect-qadservice -credential $s -Service "mydomain.com"

Import-Csv "employeeIDList.txt" | foreach {
$user = get-QADObject -SearchRoot 'mydomain.com/People' -Type User -ldapFilter "(employeeID=$_.empID)"
if($user) {
write-host "Disabling " $user.samAccountName
# generate random password
$ranpassword = [System.Web.Security.Membership]::GeneratePassword(10,2)
# Disable User Account
$user | Disable-QADUser
# Set User's Description to Terminated and set a random password
$user | set-QADUser -Description "Terminated" -UserPassword $ranpassword
# Remove User from all Groups (does not include domain users)
$user.memberof | Get-QADGroup | Remove-QADGroupMember -member $user
# Move user to Terminated OU
$user | Move-QADUser -NewParentContainer 'mydomain.com/Terminated'
} else {
write-host $_.empID "not found in Active Directory"
}
$user = $False
}

Saturday, October 10, 2009

SMTP Relay with Exchange 2007 - part 2

Problem: I needed to add new applications / servers to the SMTP Relay Connector and document the additions.

Solution: Powershell script that reads a csv file with needed server / application / admin info. It then adds the IP address to the connector and logs the info to another CSV file.

CSV Files looks like this:
IP,Server,Admin,Application,fromaddr
10.0.0.1,SQL01,John Doe,SQL Mailer,jdoe@mydomain.com

Powershell script

----------------------------------

# Grab all our current connectors - should be 1 per hub server
$Connectors = Get-ReceiveConnector | where { $_.Name -eq "SMTP-Relay" }

# set value to current IP listed in first connector found
$ip = $connectors[0].RemoteIpRanges

# Open the File of IPs to add
$import = Import-Csv "1-NewSMTPRelayAddress.txt"
$updateConnector = $false

# Loop through CSV File
$import | Foreach {
# Set Vars
$newip = $_.ip

# Update Documentation (IP, Server, Admin, Application, Date Access Granted)
$thedate2 = Get-Date -f "yyyy-MM-dd HH:mm"
$out = $newip + "," + $_.Server + "," + $_.Admin + ","
$out += $_.Application + "," + $_.fromaddr + "," + $thedate2 + "`n"
$out | out-file SMTP_Relay_Access.csv -append

# add new ip to the list
$ip += $newip

# set a var so we know we need to update the connectors
$updateConnector = $true
}


if($updateConnector) {
# add those to all the connectors
$Connectors | Set-ReceiveConnector -RemoteIPRanges $ip
Write-host "The Following IPs are in the Connector" $ip

# Log run and clear file
$newname = $thedate + "_IPsAdded.txt"
copy-item -path "1-NewSMTPRelayAddress.txt" -destination "Log\$newname"
"IP,Server,Admin,Application,fromaddr" | out-file 1-NewSMTPRelayAddress.txt
} else {
write-host "No addresses found in the file"
}

Friday, October 9, 2009

SMTP Relay with Exchange 2007 - Part 1

Problem: We needed to allow specific servers / applications to send through our Exchange servers without first authenticating.

Solution: In order to do this we setup a send connector on our Exchange HUB servers that allowed any of the specified IP's to send without authentication.

Powershell to setup the Exchange Connector:

$remoteserver = '10.0.0.1'
$emaildomain = 'mydomain.com'
$HubServers = get-exchangeserver | where { $_.ServerRole -match "HubTransport" }
$HubServers | new-ReceiveConnector -Name 'SMTP-Relay' -Usage 'Custom' -Bindings '0.0.0.0:25' -Fqdn 'mydomain.com' -RemoteIPRanges '10.0.0.1' -AuthMechanism Tls,ExternalAuthoritative -PermissionGroups ExchangeServers