8,330 questions
Offboarding Scripts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 45%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
ManUnderContruction
21
Reputation points
Hi Experts,
I am really a noob in Powershell, you can tell how messy the script below... :) and would like to seek your assistance,
I have modifed certain scripts I found online to suit our company needs for our User Offboarding process. We are on Hybrid set-up to Azure. All seems working fine (As I assume), but would also need the following to be added
- Remove the "Manager" set under "Organization" tab of the account
- Add the user to GG_Leavers & GG_Leavers_Post AD Group
- Hide from GAL (I have added it below but does not work :( )
- Set Email default auto-reponse
also, if the script can be enhance to be more efficient or organized :)
<############################################################################################################
THIS SCRIPTS WILL OFFBOARD USERS
Removes the user from all Azure AD groups
Removes the user from all Teams
Removes the user from all Distribution groups
Hides the user from the GAL
Converts the user to a shared mailbox
Removes the licenses, and prints which license it removed for canceling.
###################################################################################################### >
Write-Host "
THIS SCRIPT IS CREATED TO OFFBOARD ANY USERS FROM LINKA GROUP,
PLEASE READ THE INSTRUCTIONS CAREFULLY IN GREEN TEXT.
BEFORE PROCEEDING, YOU HAVE AN OPTION TO COPY THE LEAVERS AD GROUP TO ANOTHER USER IF APPLICABLE,
TO SKIP, PRESS ENTER KEY TWICE
" -ForegroundColor Green
Import AD commands
import-Module ActiveDirectory
Login name of user to copy FROM
$copyfrom = Read-host "ENTER USERNAME TO COPY FROM: "
Login name of user to copy TO
$pasteto = Read-host "ENTER USERNAME TO COPY TO: "
Get membership of FROM and add to TO
get-ADuser -identity $copyfrom -properties memberof | select-object memberof -expandproperty memberof | Add-AdGroupMember -Members $pasteto
Write-Host "
OFFBOARDING PROCESS WILL NOW COMMENCE
PLEASE ENTER LEAVERS ACCOUNT FOLLOWING THE FORMAT NAME.SURNAME (EXAMPLE: manny.pacqiuao)
" -ForegroundColor Green
<# --- Active Directory account dispensation section --- #>
$date = [datetime]::Today.ToString('dd-MM-yyyy')
Get the name of the account to disable from the admin
$userToOffboardAD = Read-Host 'ENTER LEAVERS USERNAME'
Write-Host "
NOW, PLEASE ENTER LEAVERS FULL E-MAIL ADDRESS
YOU WILL BE PROMPTED TO LOG-IN TWICE, PLEASE LOG-IN USING YOUR
DOMAIN ADMIN ACCOUNT
" -ForegroundColor Green
### User info Offboarding from Azure######
$userToOffboard = Read-host "ENTER LEAVERS FULL EMAIL ADDRESS: "
$CustomerDefaultDomainname = "linka.onmicrosoft.com"
Write-Host "
THIS FIRST STEP WILL CREATE AND EXPORT A CSV FILE OF USERS AD GROUP MEMBERSHIP TO
ALPAAZ-FS01 F:\Information_Technology\Users\Offboard
FOR REFERENCE
" -ForegroundColor Green
Get the properties of the account and set variables
$user = Get-ADuser $userToOffboardAD -properties canonicalName, distinguishedName, displayName, mailNickname
$dn = $user.distinguishedName
$cn = $user.canonicalName
$din = $user.displayName
$UserAlias = $user.mailNickname
Path building
$path1 = "\ALPAAZ-FS01\Information_Technology$\Users\Offboard\"
$path2 = "AD_Groups.csv"
$pathFinal = $path1 + $din + "_" + $date + $path2
Add the OU path where the account originally came from to the description of the account's properties
Set-ADUser $dn -Description ("Moved from: " + $cn + " - on $date")
Write-Host ("* " + $din + "'s Active Directory account path saved.")
Get the list of permissions (group names) and export them to a CSV file for safekeeping
$groupinfo = get-aduser $userToOffboardAD -Properties memberof | select name,
@{ n="GroupMembership"; e={($.memberof | foreach{get-adgroup $}).name}}
$count = 0
$arrlist = New-Object System.Collections.ArrayList
do{
$null = $arrlist.add([PSCustomObject]@{
# Name = $groupinfo.name
GroupMembership = $groupinfo.GroupMembership[$count]
})
$count++
}until($count -eq $groupinfo.GroupMembership.count)
$arrlist | select groupmembership |
convertto-csv -NoTypeInformation |
select -Skip 1 |
out-file $pathFinal
Write-Host ("* " + $din + "'s Active Directory group memberships (permissions) exported and saved to " + $pathFinal)
Write-Host "
NEXT STEP WILL
DELETE LEAVERS
AD GROUP,
AZURE AD GROUP,
TEAMS GROUP,
DISTRIBUTIONS GROUPS
CONVERT IT TO SHARED MAILBOX,
REMOVE USERS M365 LICENSE,
MOVE THE ACCOUNT TO DISABLE ACCOUNT OU,
RESET USERS PASSWORD
" -ForegroundColor Green
write-host "Logging into Azure AD." -ForegroundColor Green
Connect-AzureAD
write-host "Connecting to Exchange Online" -ForegroundColor Green
install-module ExchangeOnlineManagement
connect-exchangeonline
write-host "Removing users from Azure AD Groups" -ForegroundColor Green
$MemberID = (Get-AzureADUser -ObjectId $userToOffboard).objectId
Get-AzureADUserMembership -ObjectId $MemberID -All $true | Where-Object { $.ObjectType -eq "Group" -and $.SecurityEnabled -eq $true -and $.MailEnabled -eq $false } | ForEach-Object {
write-host " Removing using from $($.displayname)" -ForegroundColor green
Remove-AzureADGroupMember -ObjectId $_.ObjectID -MemberId $MemberID
}
write-host "Removing users from Unified Groups and Teams" -ForegroundColor Green
$OffboardingDN = (get-mailbox -Identity $userToOffboard -IncludeInactiveMailbox).DistinguishedName
Get-Recipient -Filter "Members -eq '$OffboardingDN'" -RecipientTypeDetails 'GroupMailbox' | foreach-object {
write-host " Removing using from $($.name)" -ForegroundColor green
Remove-UnifiedGroupLinks -Identity $.ExternalDirectoryObjectId -Links $userToOffboard -LinkType Member -Confirm:$false }
write-host "Removing users from Distribution Groups" -ForegroundColor Green
Get-Recipient -Filter "Members -eq '$OffboardingDN'" | foreach-object {
write-host " Removing using from $($.name)" -ForegroundColor green
Remove-DistributionGroupMember -Identity $.ExternalDirectoryObjectId -Member $OffboardingDN -BypassSecurityGroupManagerCheck -Confirm:$false }
write-host "Setting mailbox to Shared Mailbox" -ForegroundColor Green
Set-Mailbox $userToOffboardAD -Type Shared
write-host "Hiding user from GAL" -ForegroundColor Green
Set-ADUser $userToOffboardAD -Replace @{msExchHideFromAddressLists=$true}
write-host "Removing License from user." -ForegroundColor Green
$AssignedLicensesTable = Get-AzureADUser -ObjectId $userToOffboard | Get-AzureADUserLicenseDetail | Select-Object @{n = "License"; e = { $_.SkuPartNumber } }, skuid
if ($AssignedLicensesTable) {
$body = @{
addLicenses = @()
removeLicenses = @($AssignedLicensesTable.skuid)
}
Set-AzureADUserLicense -ObjectId $userToOffboard -AssignedLicenses $body
}
write-host "Removed licenses:"
$AssignedLicensesTable
Remove-PSSession $session
<############################################################################################################
- Disables user in AD.
- Resets the password of the user's AD account.
- Adds the path of the OU that the user came from to the "Description" of the account.
- Exports a list of the user's group memberships (permissions) to an Excel file in ALPAAZ-FS01 F:\Information_Technology\Users\Offboard.
- Strips AD group memberships from user's AD account.
- Moves user's AD account to the "Disabled Users" OU.
###################################################################################################### >
$date = [datetime]::Today.ToString('dd-MM-yyyy')
Un-comment the following if PowerShell isn't already set up to do this on its own
Import-Module ActiveDirectory
Blank the console
Clear-Host
Disable the account
Disable-ADAccount $userToOffboardAD
Write-Host ($din + "'s Active Directory account is disabled.")
Reset password
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "hwrRqT4DDuz4^Xsw7dgQ6Kdng@deh5XK" -Force) $userToOffboardAD
Write-Host ("* " + $din + "'s Active Directory password has been changed.")
Strip the permissions from the account
Get-ADUser $User -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member $User}
Write-Host ("* " + $din + "'s Active Directory group memberships (permissions) stripped from account")
Move the account to the Disabled Users OU
Move-ADObject -Identity $dn -TargetPath "OU=Disabled Accounts,DC=alpasg,DC=local"
Write-Host ("* " + $din + "'s Active Directory account moved to 'Disabled Accounts' OU")
Write-Host "
OFFBOARDING PROCESS COMPLETED, PLEASE VERIFY FROM THE OFFBOARDED ACCOUNT IF
- ACCOUNT IS NOW MOVED TO DISABLED ACCOUNT OU
- ACCOUNT IS NOW DISABLED
- PASSWORD WAS CHANGE RECENTLY
- ACCOUNT AD/AZURE MEMBERSHIPS ARE DELETED
- M365 LICENSE IS REMOVED
- ACCOUNT MAILBOX IS NOW A SHARED MAILBOX
" -ForegroundColor Green
APPRECIATE YOU ASSISTANCE IN ADVANCE
THANK YOU!!
Windows for business Windows Server User experience PowerShell
Sign in to answer