# RetiredUser.ps1
# Description - script to automate basic retiring of user account.
#
# Created: 06/01/04
# Creator: Tim Sutton
#
# v2 - changed group removal method to prevent previous errors.
#	 - changed how description is written to include running username.
#	 - changed password reset to use random password.
#    - added outputs for clarity.
#    - added password output.


# This is where we define the parameters.
#get UserName
$termuser = read-host "Enter user name to retire"


# Clear account details
Get-ADUser $termuser | Set-ADUser -Company $null -Department $null -Description $null -Fax $null -HomePhone $null -MobilePhone $null -Office $null -PostalCode $null -State $null -StreetAddress $null -City $null -OfficePhone $null -Title $null -HomePage $null
write-host "*  Cleared all user account fields for" $termuser

# Remove all group memberships bar Domain Users
$userGroups = (Get-ADUser $termuser -properties memberof).memberof
$userGroups | Remove-ADGroupmember -Members $termuser -Confirm:$false
write-host "*  Removed from all distribution and security groups from" $termuser

# Set description
$termDate = get-date -uformat "%Y-%m-%d"
$terminatedby = $env:username
$termUserDesc = $termDate + " Moved to Retired Accounts OU - " + $terminatedby
set-ADUser $termuser -Description $termUserDesc 
write-host "*  Description set to: " $termUserDesc


# Set Password
$length = 15
$punc = 46..46
$digits = 48..57
$letters = 65..90 + 97..122
$password = get-random -count $length -input ($punc + $digits + $letters) | % -begin { $aa = $null } -process {$aa += [char]$_} -end {$aa}

Get-ADUser $termuser |Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $password -Force)
write-host "*  Reset password to: " $password


# Move to retired ou
Get-ADUser $termuser | Move-ADObject -TargetPath 'ou=retired accounts,ou=uk,dc=domain,dc=local'
write-host "* " $termuser "moved to Retired Users OU"


Exit