Untitled

<#
.DESCRIPTION
This script provides a standard off-boarding method for staff leaving
the company.

The script does the following;
1. Disables the specified user account
2. Updates the user description with the user who disabled the account
and the time/date when the account was disabled
3. Moves the account to the disabled user account OU (needs to exist)
5. Convert to a shared mailbox
6. Set Out Of Office
7. Revoke O365 Licenses
8. Give users rights on shared mailbox

Version 1.1 - 15/06/2017
Initial release
#>

$textboxResults = New-Object 'System.Windows.Forms.RichTextBox'


Write-Host " **************** PLEASE ENTER ACTIVE DIRECTORY ADMIN CREDENTIALS **************** "
$Credential = Get-Credential -Credential "$env:USERDOMAIN\"
$DC = $env:LOGONSERVER.Substring(2)

#Initiate Remote PS Session to local DC
$ADPowerShell = New-PSSession -ComputerName $DC -Authentication Negotiate -Credential $Credential

# Import-Module ActiveDirectory
write-host "Importing Active Directory PowerShell Commandlets"
Invoke-Command -Session $ADPowerShell -scriptblock { import-module ActiveDirectory }
Import-PSSession -Session $ADPowerShell -Module ActiveDirectory -AllowClobber -ErrorAction Stop

# Retrieve AD Details
$ADDetails = Get-ADDomain
$Domain = $ADDetails.DNSRoot
Clear-Host

write-host "Importing Office 365 PowerShell Commandlets"
Write-Host -ForegroundColor White -BackgroundColor DarkBlue " **************** PLEASE ENTER OFFICE 365 ADMIN CREDENTIALS **************** "
$Office365User = ([adsi]"LDAP://$(whoami /fqdn)").mail
$Office365Credential = Get-Credential -Credential "$Office365User"
$Office365PowerShell = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Office365Credential -Authentication Basic -AllowRedirection
Import-PSSession $Office365PowerShell
Clear-Host

write-host " **************** Disable Active Directory User Account & Enable Out Of Office **************** "
write-host " "

# Get Variables
$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
$DisabledBy = Get-ADUser "$env:username" -properties Mail
$DisabledByEmail = $DisabledBy.Mail

# Prompt for AD Username
$Employee = Read-Host "Employee Username"
$EmployeeDetails = Get-ADUser $Employee -properties *
$GroupMembership = Get-ADUser $Employee -properties MemberOf
If ($EmployeeDetails.Manager -ne $null)
{
$Manager = Get-ADUser $EmployeeDetails.Manager -Properties Mail
}

# Prompt for Backup Colleague Username
$BackUp = Read-Host "Backup Colleague Username"
$BackUpDetails = Get-ADUser $BackUp -properties *

# Check which O365 License User has
Connect-MsolService -Credential $Office365Credential
$AccountSku = Get-MsolAccountSku

#$License = (Get-MSOLUser –UserPrincipalName $EmployeeDetails.mail).Licenses[0].AccountSkuID
# E1 = "tennant:STANDARDPACK"
# E3 = "tennant:ENTERPRISEPACK"
#write-host $License

# Clear-Host

# Prompt for confirmation
write-host " ******************************** CONFIRM USER DISABLE REQUEST ******************************** "
write-host " "
write-host -ForegroundColor Yellow "Please review the Employee details below to ensure you are disabling the correct user account."
$EmployeeDetails | fl Name, Title, Company, @{ Expression = { $_.mail }; Label = "Email Address" }, @{Expression = { $_.Created }; Label = "Employment Started"} | Out-String

$choice = " "
while ($choice -notmatch "[y|n]")
{
$choice = read-host "Do you want to continue? (Y/N)"
}


# Actions
if ($choice -eq "y")
{
Clear-Host
write-host " ******************************** DISABLING USER ACCOUNT ******************************** "
write-host " "
write-host "Step 1. Modifying user description for audit purposes" -ForegroundColor Yellow
Set-ADUser $Employee -Description "Disabled by $($DisabledBy.name) on $DisabledDate"

write-host "Step 2. Disabling $Employee Active Directory Account." -ForegroundColor Yellow
Disable-ADAccount $Employee
write-host "Step 3. Moving $Employee to the Disabled User Accounts OU." -ForegroundColor Yellow
Move-ADObject -Identity $EmployeeDetails.DistinguishedName -targetpath "OU="

write-host "Step 4. Removing $Employee from all Group memberships except Domain Users" -ForegroundColor Yellow
write-host " "
$GroupMembership.MemberOf | Remove-ADGroupMember -Member $Employee -Confirm:$false

write-host "Waiting 5 seconds for AD & Exchange OU update to complete"
    sleep -Seconds 5

write-host " "
write-host "Refreshing Employee Details for Exchange Modification."
Get-ADUser $Employee -properties * | Format-List Name, Description

write-host "Step 5. Setting Exchange Out Of Office Auto-Responder." -ForegroundColor Yellow
Set-MailboxAutoReplyConfiguration -Identity $EmployeeDetails.mail -AutoReplyState Enabled -InternalMessage " Put in Out Of Office here "

Write-Host "Step 6. Convert to a shared mailbox"
Set-Mailbox $EmployeeDetails.Mail -Type shared

Write-Host "Step 7. Revoke O365 Licenses"
$LicenseDetails = (Get-MsolUser -UserPrincipalName $EmployeeDetails.mail).Licenses
$LicenseDetails.Count;
# If there's a license, show the details.
# Otherwise, the output is blank.
if ($LicenseDetails.Count -gt 0){
  foreach ($i in $LicenseDetails){
    #$i.AccountSkuId
    if ($i.AccountSkuId -Match "tennant:VISIOCLIENT"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:VISIOCLIENT"
        }
                    if ($i.AccountSkuId -Match "tennant:EMSPREMIUM"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:EMSPREMIUM"
        }
                     if ($i.AccountSkuId -Match "tennant:POWER_BI_PRO"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:POWER_BI_PRO"
        }
                    if ($i.AccountSkuId -Match "tennant:ENTERPRISEPACK"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:ENTERPRISEPACK"
        }
                    if ($i.AccountSkuId -Match "tennant:FLOW_FREE"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:FLOW_FREE"
        }
                    if ($i.AccountSkuId -Match "tennant:POWERAPPS_VIRAL"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:POWERAPPS_VIRAL"
        }
                    if ($i.AccountSkuId -Match "tennant:CRMSTANDARD"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:CRMSTANDARD"
        }
                    if ($i.AccountSkuId -Match "tennant:POWER_BI_STANDARD"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:POWER_BI_STANDARD"
        }
                    if ($i.AccountSkuId -Match "tennant:EMS"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:EMS"
        }
                    if ($i.AccountSkuId -Match "tennant:CRMINSTANCE"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:CRMINSTANCE"
        }
                    if ($i.AccountSkuId -Match "tennant:PROJECTPROFESSIONAL"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:PROJECTPROFESSIONAL"
        }
                    if ($i.AccountSkuId -Match "tennant:DYN365_ENTERPRISE_TEAM_MEMBERS"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:DYN365_ENTERPRISE_TEAM_MEMBERS"
        }
                    if ($i.AccountSkuId -Match "tennant:STANDARDPACK"){
        Set-MsolUserLicense -UserPrincipalName $EmployeeDetails.Mail -RemoveLicenses "tennant:STANDARDPACK"
        }
    }
}

Write-Host "Step 8. Give users rights on shared mailbox and forward e-mail"
Write-Host "Write username for Full Access"
Add-MailboxPermission $Employee -User $BackUp -AccessRights FullAccess
Add-RecipientPermission $Employee -AccessRights SendAs -Trustee $Backup
Set-Mailbox $EmployeeDetails.mail -ForwardingAddress $BackUpDetails.mail
}else{
write-host " "
write-host "Employee disable request cancelled" -ForegroundColor Yellow
}