top of page

PowerShell | Offboarding Users

Offboarding Users by EmployeeID

I worked at a company where the accounts were all managed by EmployeeID and that was the only true way to query user data. Script Will Go through and perform many offboarding tasks as well as document the work along the way, for example group membership save to file before removal from Active Directory groups. Script could be re-wired to use anything really, just alter the first few lines where the user input is gathered. Instead of EmployeeID it could user SamAccountName.

<#

Summary:  

Note: We have a custom value in AD called EmployeeID you may need to adjust the script to fit your unique needs.

          Request input from user

          Get user by Employee ID

          Check for Duplicate Emp ID

          Check to see if account found

          Display account information

          Terminate User Option

          Update Description Field

          Set Manager and Phone to NULL

          Export List of AD Groups

          Remove Groups from User Account

          Create & Format Date - Append to Name Field Because of Duplicates

          Disable AD Account

          Move User Account to Inactive Users OU

          Export Home Directory

             

Author:   Scott Head

Date:     02/09/2022

Version:  1.0

#>

#Get Input From User

$EmployeeID = Read-Host "Enter EmployeeID"

 

#Check for Account in AD

$MyUserInfo = Get-ADUser -Filter 'EmployeeID -eq $EmployeeID' -Properties * | select GivenName, Surname, Office

   

#Check for Duplicate EmployeeID's

If ($MyUserInfo.count -gt 1) {

    Write-Host "Multiple Accounts Found - Program Closed"

    Break

}

 

#Check to See if Account is Found    

If ($MyUserInfo -eq $Null) {    

    Write-Host "No Account Found - Program Closed `n"

    Break

}

Else {

   

    Write-Host "First Name: $($MyUserInfo.GivenName)"

    Write-Host "Last Name: $($MyUserInfo.Surname)"

    Write-Host "Office: $($MyUserInfo.Office) `n"

}

 

#After User Reviews Output : Option to Terminate User Account

$Decision = Read-Host "Terminate User Press 1"

 

If ($Decision -eq 1) {  

    Write-Host "Terminating User Account......."    

   

    #--1-&-2--Update Description Field and Set Manager and Phone to NULL-------------------------------------------

    $MyDateInfo = Get-Date -Format yyyy-MM-dd

    $MyDateInfo = "Termed $MyDateInfo"    

    $DescriptionUpdate = "$MyDateInfo - $EmployeeID"    

    Get-ADUser -Filter 'EmployeeID -eq $EmployeeID' -Properties * | Set-ADUser -Description $DescriptionUpdate -Manager $NULL -OfficePhone $NULL

   

    #--3---Export List of AD Groups---------------------------------------------------------

    #Export User Name to File

    $MyADUSer = Get-ADUser -Filter 'EmployeeID -eq $EmployeeID' -Properties * | Select -ExpandProperty SamAccountName

    $MyADUSer | Out-File C:\UserGroupLog\$EmployeeID.txt -Append

    #Get ADGroup Not Equal to Domain Users

    $MyADGroups = Get-ADUser -Filter 'EmployeeID -eq $EmployeeID' -Properties * | Get-ADPrincipalGroupMembership | Where { $_.Name -ne "Domain Users" } | Select -ExpandProperty Name

    #Export ADGroups to Same File

    $MyADGroups | Out-File C:\UserGroupLog\$EmployeeID.txt -Append

       

    #--4--Remove Groups from User Account-----------------------------------------------------------------------    

    Foreach ($MyGroup in $MyADGroups) { Remove-ADGroupMember -Identity $MyGroup -Members $MyADUSer -Confirm:$False }

    "AD Groups Removed" | Out-File C:\UserGroupLog\$EmployeeID.txt -Append

       

    #--5--Create & Format Date - Append to Name Field Because of Duplicates-------------------------------------

    $DateAdd = Get-Date -Format "MMddyyyyHHmmss"    

    $ADName = Get-ADUser $MyADUSer  | Select -ExpandProperty Name    

    $NewADName = "$ADName - $DateAdd"

    Get-ADUser $MyADUSer | Rename-ADObject -NewName $NewADName

       

    #--7--Disable AD Account-----------------------------------------------------------------------------------

    Get-aduser $MyADUSer | Disable-ADAccount

       

    #--6--Move User Account to Inactive Users OU--------------------------------------------------------------

    Get-ADUser $MyADUSer | Move-ADObject -TargetPath 'OU=InactiveAccounts,OU=Accounts,DC=YourDomain,DC=net'

   

    #--8--Export Home Directory--------------------------------------------------------------------------------

    $NDrive = Get-aduser $MyADUSer -Properties * | select -ExpandProperty HomeDirectory

    $NDrive | Out-File C:\UserGroupLog\AA_User_Profiles.txt -Append        

    write-host "Process Complete - Program Closed..."

}

Else {    

    Write-Host "Account NOT Terminated - Program Closed `n"

}    

bottom of page