What to do with left employees?

PowerShell, Security 1 Minute

Hey All,

What do you do with left users? I to do the next:

custom PowerShell script + windows scheduler. This script will find all disabled users, change the password to random, remove from all groups, move user to special OU and change default group to special (I created this group manually):


# Target OU

$TargetOU = "OU=DisabledUsers,OU=Office365,OU=Employees"

#Search for disabled users

$DisabledUsers = (Get-ADUser -SearchBase "OU=Office365,OU=Employees,OU=Accounts,DC=corp" -SearchScope OneLevel -Filter {Enabled -eq $false})
#1. Generate Random Password for Disabled Users
#2. Change password for disabled users to random
#3. Add users to special group
$Group = Get-ADGroup "CN=Disabled Users,CN=Users,DC=corp" -Properties @("primaryGroupToken")

#4. Remove disabled users from all groups and change default group to Disabled Users (special group with "no access to anything")
#5. Move them to DisabledUsers OU

foreach ($DisabledUser in $DisabledUsers)
{
function Get-RandomCharacters($length, $characters) {
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}

function Scramble-String([string]$inputString){
$characterArray = $inputString.ToCharArray()
$scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length
$outputString = -join $scrambledStringArray
return $outputString
}

$password = Get-RandomCharacters -length 9 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 3 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 4 -characters '1234567890'
$password += Get-RandomCharacters -length 4 -characters '!"§$%&/()=?}][{@#*+'

Set-ADAccountPassword -Identity $DisabledUser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $password -Force)
Add-ADGroupMember -Identity 'Disabled Users' -Members $DisabledUser
Set-ADUser -Identity $DisabledUser -Replace @{primarygroupid=$group.primaryGroupToken}
Start-Sleep -s 5
Get-AdPrincipalGroupMembership -Identity $DisabledUser | Where-Object -Property Name -Ne -Value 'Disabled Users' | Remove-AdGroupMember -Members $DisabledUser -Confirm:$false
Move-ADObject -Identity $DisabledUser.distinguishedName -TargetPath $TargetOU
}

Enjoy!

Published by OlegShalnov

More than 15y experience with MS solutions. Big Azure and Office365 fun.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s