# RetiredUser.ps1 # Description - script to automate basic retiring of user account. # # Created: 06/01/14 # Creator: Tim Sutton # # v2 - Tim Sutton 08/01/14 # - changed group removal method to prevent previous errors. # - changed how description is written to include running username. # - changed password reset to use random password. # - added outputs for clarity. # - added password output. # # v3 - Tim Sutton 16/01/14 # - added copying description to title field. # - added confirmation prompt. # - script echoes full display name for target account. # - added sense of humour # This is where we define the parameters. #get UserName $termuser = read-host "Enter user name to retire" # Confirm User $FullName = get-aduser $termuser -properties department write-host `n "Account selected:" $FullName.name "of the" $fullname.department "group?" `n -foregroundcolor red $prompt = 'Should I [A]bort or [C]ontinue?' $abort = New-Object System.Management.Automation.Host.ChoiceDescription '&Abort','Aborts the operation' $continue = New-Object System.Management.Automation.Host.ChoiceDescription '&Continue','Continues the operation' $options = [System.Management.Automation.Host.ChoiceDescription[]] ($abort,$continue) $choice = $host.ui.PromptForChoice($title,$prompt,$options,0) #write-host "You chose:"$choice if ($choice -eq 0) {write-host "You chose to abort..."} if ($choice -eq 1) {write-host "You chose to continue."} if ($choice -eq 0) { write-host `n "Abort! Abort! Abort!" `n `n "Script aborted ....... that was close." `n `n break } Else { write-host `n "... Continuing ..." `n # Clear account details Get-ADUser $termuser | Set-ADUser -Company $null -Department $null -Description $null -Fax $null -HomePhone $null -MobilePhone $null -Office $null -PostalCode $null -State $null -StreetAddress $null -City $null -OfficePhone $null -Title $null -HomePage $null write-host "* Cleared all user account fields for" $FullName.name # Remove all group memberships bar Domain Users $userGroups = (Get-ADUser $termuser -properties memberof).memberof $userGroups | Remove-ADGroupmember -Members $termuser -Confirm:$false write-host "* " $FullName.name "removed from all distribution and security groups." # Set description $termDate = get-date -uformat "%Y-%m-%d" $terminatedby = $env:username $termUserDesc = $termDate + " Moved to Retired Accounts OU - " + $terminatedby set-ADUser $termuser -Description $termUserDesc -title $termUserDesc write-host "* Description set to: " $termUserDesc write-host "* Title set to: " $termUserDesc # Set Password $length = 15 $punc = 46..46 $digits = 48..57 $letters = 65..90 + 97..122 $password = get-random -count $length -input ($punc + $digits + $letters) | % -begin { $aa = $null } -process {$aa += [char]$_} -end {$aa} Get-ADUser $termuser |Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $password -Force) write-host "* Reset password to: " $password # Move to retired ou Get-ADUser $termuser | Move-ADObject -TargetPath 'ou=retired accounts,ou=uk,dc=domain,dc=local' write-host "* " $FullName.name "moved to Retired Users OU" `n write-host "Mischief done ...." `n Exit }