# RetiredUser.ps1
# Description - script to automate basic retiring of user account.
#
# Created: 06/01/14
# Creator: Tim Sutton
#
# v2 - Tim Sutton 08/01/14
# - changed group removal method to prevent previous errors.
# - changed how description is written to include running username.
# - changed password reset to use random password.
# - added outputs for clarity.
# - added password output.
#
# v3 - Tim Sutton 16/01/14
# - added copying description to title field.
# - added confirmation prompt.
# - script echoes full display name for target account.
# - added sense of humour
# This is where we define the parameters.
#get UserName
$termuser = read-host "Enter user name to retire"
# Confirm User
$FullName = get-aduser $termuser -properties department
write-host `n "Account selected:" $FullName.name "of the" $fullname.department "group?" `n -foregroundcolor red
$prompt = 'Should I [A]bort or [C]ontinue?'
$abort = New-Object System.Management.Automation.Host.ChoiceDescription '&Abort','Aborts the operation'
$continue = New-Object System.Management.Automation.Host.ChoiceDescription '&Continue','Continues the operation'
$options = [System.Management.Automation.Host.ChoiceDescription[]] ($abort,$continue)
$choice = $host.ui.PromptForChoice($title,$prompt,$options,0)
#write-host "You chose:"$choice
if ($choice -eq 0) {write-host "You chose to abort..."}
if ($choice -eq 1) {write-host "You chose to continue."}
if ($choice -eq 0)
{ write-host `n "Abort! Abort! Abort!" `n `n "Script aborted ....... that was close." `n `n
break
}
Else
{
write-host `n "... Continuing ..." `n
# Clear account details
Get-ADUser $termuser | Set-ADUser -Company $null -Department $null -Description $null -Fax $null -HomePhone $null -MobilePhone $null -Office
$null -PostalCode $null -State $null -StreetAddress $null -City $null -OfficePhone $null -Title $null -HomePage $null
write-host "* Cleared all user account fields for" $FullName.name
# Remove all group memberships bar Domain Users
$userGroups = (Get-ADUser $termuser -properties memberof).memberof
$userGroups | Remove-ADGroupmember -Members $termuser -Confirm:$false
write-host "* " $FullName.name "removed from all distribution and security groups."
# Set description
$termDate = get-date -uformat "%Y-%m-%d"
$terminatedby = $env:username
$termUserDesc = $termDate + " Moved to Retired Accounts OU - " + $terminatedby
set-ADUser $termuser -Description $termUserDesc -title $termUserDesc
write-host "* Description set to: " $termUserDesc
write-host "* Title set to: " $termUserDesc
# Set Password
$length = 15
$punc = 46..46
$digits = 48..57
$letters = 65..90 + 97..122
$password = get-random -count $length -input ($punc + $digits + $letters) | % -begin { $aa = $null } -process {$aa += [char]$_} -end {$aa}
Get-ADUser $termuser |Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $password -Force)
write-host "* Reset password to: " $password
# Move to retired ou
Get-ADUser $termuser | Move-ADObject -TargetPath 'ou=retired accounts,ou=uk,dc=domain,dc=local'
write-host "* " $FullName.name "moved to Retired Users OU" `n
write-host "Mischief done ...." `n
Exit
}