Archiving AD Accounts with PowerShell

, , , ,

Problem:

I work for a small K-12 school district. Often when teachers retire, they return as substitutes. We are also required maintain public records for seven years. For these reasons, we do not delete staff accounts immediately after their employment ends.

I had a process for archiving employees and activating old accounts, but it was time consuming. I also wanted to ensure that procedures were followed by new staff members.  A few of the steps I take when archiving an account are, setting Logon Workstation and Logon Hours, adding the account to a “Archived Users” group, removing all other groups, and, of course, disabling the account.

I knew I could automate this with PowerShell, but I am late to game and didn’t really know where to start. I have adapted scripts for my needs, but I have not done a project like this from start to finish. In addition to automating some account management, I wanted to expand some PowerShell skills.

Solution:

I was lucky enough to attend Ignite 2018 and caught Tools, tips and tricks from the SysAdmin field by my friend, Harjit (@hoorge). Towards the end of the session, around 17:20, he shows Active Directory Admin Center (ADAC) and the awesome Windows PowerShell History Viewer. For those unfamiliar with this feature, every action that you do in ADAC generates PowerShell code.

Active Directory Administrative Center

Copy and paste the code into PowerShell ISE and string each step of your process together. You will end up with a script like the one below:

Set-ADUser -Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com" -LogonWorkstations:"No-PC-for-You" -Replace:@{"logonHours"="0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"}
Add-ADPrincipalGroupMembership -Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com" -MemberOf:"CN=Archived Users,OU=Security Groups,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com"
Set-ADObject -Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com" -Replace:@{'primaryGroupID'="2103"}
Remove-ADPrincipalGroupMembership -Confirm:$false -Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com" -MemberOf:"CN=Domain Users,CN=Users,DC=corp,DC=viamonstra,DC=com"
Set-ADAccountExpiration -DateTime:"12/29/2018 00:00:00" -Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com"

Not only do we have a starting point for a User Management script, but we are also getting a solid introduction to PowerShell and how it works. Taking this a step further, let’s look at how to replace the -Identity parameter with a variable. To accomplish this, I created two variables for the User Account, $Account and $AccountDetails. $Account asks for the user name. $AccountDetails uses Get-AdUser to gather details of the Account, specifically DistinguishedName.

$Account = Read-Host -Prompt 'Input the user name'
$AccountDetails = Get-ADUser $Account

At this point, we can now replace

-Identity:"CN=Mike,OU=Users,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com"

With

-Identity:$AccountDetails.DistinguishedName 

This small addition greatly increases the usefulness of this script. Since Distinguished Name contains the full path, I do not need to worry about typos in OU names. Also, I can hand this script off to help desk staff to archive accounts without worrying that a step was missed. Below is the full script that I currently use when archiving accounts. You will notice that I added several more variables, $DenyHours, $ArchivedUsersGroup, and $DisableOU. I used Richard Siddaway’s blog post, https://richardspowershellblog.wordpress.com/2012/01/26/setting-a-users-logon-hours/ to declare $DenyHours. $ArchivedUsers and $DisabledOU are variables that I declared for my group and OU for disabled accounts.

#Declare Logon Hours
[byte[]]$DenyHours = @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
#Declare OUs
$DisableOU = "OU=- Disabled Accounts,OU=Users,DC=ViaMonstra,DC=org"
#Declare Groups
$ArchivedUsersGroup = "CN=Archived Users,OU=Groups,DC=ViaMonstra,DC=org"
# Input Account and get Account details
$Account = Read-Host -Prompt 'Input the user name'
$AccountDetails = Get-ADUser $Account
#Disable Account
Disable-ADAccount -Identity:$AccountDetails.DistinguishedName
# Set Logon Restrictions
Set-ADUser -Identity:$AccountDetails.DistinguishedName -LogonWorkstations:"No-PC-for-You" -Replace:@{logonHours=$DenyHours
# Add Archive Flag for Email Autoreply Rules
Set-ADUser -Identity:$AccountDetails.DistinguishedName -Office:"Archive"
# Add Account to 'Archived Users' group and Set as primary
Add-ADGroupMember -Identity:$ArchivedUsersGroup -Members:$AccountDetails
Set-ADObject -Identity:$AccountDetails -Replace:@{'primaryGroupID'="ChangeToYourGroupID"}
# Set Description to Disabled Date
Set-ADUser $AccountDetails -Description "Account Disabled on $(Get-Date -format 'd')"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*Archived Users*"}  | Remove-ADGroupMember -Members $AccountDetails.samaccountname -Confirm:$False 
# Move Account to Disabled Users OU
Move-ADObject -Identity:$AccountDetails.DistinguishedName -TargetPath:$DisableOU

To recap, I defined a procedure to archive accounts. Using ADAC, I captured the PowerShell commands for each step. Finally, I replaced static information such as, Account Name, OU’s, and Groups with variables. I hope that this gives you some ideas for managing user accounts with PowerShell in your environment.

Update – I added a screenshot of ADAC, changed the disable account to the cleaner “Disable-ADAccount” and fixed a couple of typos.

Working with CSV Files

, , ,

Hey everyone, it’s been a little while since my last post, but work’s been busy.  A recurring issue I see on TechNet is that plenty of people have trouble working with importing/exporting CSV files.  Specifically, I see questions about how to modify CSV files. Personally, I don’t see any value in modifying the CSV file directly, but rather importing the data from said file and working with the dataset natively in PowerShell.  Using one person’s thread as an example, he had a CSV file full of IP addresses that corresponded to his VM’s.  He wanted to add data about the VM based on the IP address, but wanted to know how to “modify the line” in the CSV file.    He had already written part of the script to create the CSV by pinging each computer in his IP range and outputting that to CSV.  For our test, here’s what our CSV looks like:

Now, let’s say we want to find the hostnames for each of these computers and add that to a new column. There are a couple ways we could do this, but in an enterprise environment, a good way to do it is to just ask AD who it is.   First, we create the empty “column” for our Hostname value.

Once that’s created, we need to fill it with values:

Keep in mind that you will see a lot of red text for any computer that doesn’t have an entry in AD. This could be a printer, a switch, etc.  If you’re using Windows 8.1+ or Server 2012R2+, you can use the resolve-dnsname cmdlet. 
You can add more columns to the CSV by using the Add-Member cmdlet to your heart’s content, and when you’re done, you pipe your $dataset variable back to the export-csv cmdlet.   
Really, once you start looking at CSV files as arrays of custom objects, they’re pretty easy to work with.