https://github.com/cipriandroc/PWSH_Public_ADUser_Scripts/blob/main/Disable-ADUsers.ps1
Description
This script disables ADUsers based on an input list (csv) containing samAccountName values.
It also changes the description of the targeted user/s, has the ability to move OU to designated Disable OU and most importantly backs up user data to a text file before it performs any action on the targeted user.
Finally it will export a report of user properties after action is performed and lists action taken on the accounts.
Through the course of runtime it will display detailed information on the console for every action being performed.
There are a couple of safety nets put in place to prevent the script from running if any important parameter/variable has been omitted, contains wrong information or if list provided has invalid formatting.
This script was run multiple times in production and it performed up to expectations. In this article I will be detailing every aspect of it.
The structure of it is made out of:
- input variables (user list, description, export locations)
- classes and functions
- initialization (performs safetynet checks)
- script block
Logic Diagram will show detailed information on this subject. [ view now ]
Configuration
When running this script in a new environment make sure to configure the variables. After it’s been configured with the right values the script can be run from the console requiring minimal input.
| parameter name | description |
|---|---|
-ticketNumber |
(mandatory)[string] input related ticket number. This will be appended to $ticketNumber string and form the Description for the disabled users |
-moveOU |
(optional)[switch] if this parameter is specified when a user is disabled it will be moved to the specified disableOU variable that's specified in the script. If user is already disabled this will not perform the move. |
-forceMoveOU |
(optional)[switch] use this parameter when you want to move the users to the disabled OU regardless of being disabled or not |
| variable name | description |
$ticketNumber |
set your desired description here, this will be appended to every users Description field (preserving existing string) and it concatenates the -ticketNumber parameter provided when running script from console |
$importDataFile |
provide a CSV file that has the column header samAccountName followed by the usernames being targeted |
$date |
the output files will contain the runtime date |
$exportLocation |
the location for the export folder, this will be used for the exported data, make sure the folder exists |
$exportBackupUserData |
text file where backup user information is being appended before any change is performed (more info) |
$exportLog |
CSV file that shows script results (more info) |
$disableOU |
specify the location of the OU users will be moved to, this requires the parameter -moveOU to be specified |
$targetDomain |
Specific domain the script is supposed to run against. With multiple domain forests in mind, this prevents the Script running in the current logged in domain if it doesn't match the specified domain name. (To make sure you get the right domain run this command in the console and verify/match the output (Get-ADDomainController).Domain.Split('.')[0] ) |
$VerbosePreference |
set to Continue, this means that console shows Verbose information without requiring the need to include the parameter. I feel it's important to view more information than not, to the point that this shows vital information on action taken and it's easy to overlook the parameter -Verbose when running it |
Note: Each exported file will contain current date
Execution
At runtime the script will perform the following checks and stop in case any of them fail and provide console information:
- imports the userlist CSV file
- checks if the provided CSV file contains the samAccountName property
- tests the provided export location folder if exists and if you have RW permission to it
- verifies if the connected domain matches the domain specified in the variable
- if -disableOU parameter is specified, verifies if the OU is valid and exists; currently the script doesn’t check if the user that’s running the script has the permission to move the object but if that’s the case the console will show a warning message that moving the user failed and the report will also specify this information as well as it can be checked from the user distingusihed name that’s being outputed
Below is a part of the console display information at runtime:
> .\Disable-ADUsers.ps1 -ticketNumber hd-235 -moveOU
VERBOSE: Attempting to import userdata file .\userlist.csv
Succesfully imported userdata file.
VERBOSE: Verifying user data file for samAccountName property.
Property found.
VERBOSE: Verifying export folder location.
Test exportPath OK
VERBOSE: Verifying connected domain
Domain connection OK
VERBOSE: Gathering user data for: adelev
VERBOSE: Backing up user data to file: 4.5.2021_backupUserData.txt
VERBOSE: Attempting to change description filed for user: adelev
Changed description to: Disabled per AD Cleanup Project - hd-235
VERBOSE: Attempting to disable user: adelev
adelev has been disabled.
VERBOSE: Attempting to move user to disable OU
adelev has been moved to disable OU
VERBOSE: Exporting disable information to file
VERBOSE: Gathering user data for: awilber
VERBOSE: Backing up user data to file: 4.5.2021_backupUserData.txt
VERBOSE: Attempting to change description filed for user: awilber
Changed description to: Disabled per AD Cleanup Project - hd-235
VERBOSE: Attempting to disable user: awilber
awilber has been disabled.
VERBOSE: Attempting to move user to disable OU
awilber has been moved to disable OU
VERBOSE: Exporting disable information to fileOutput
This is a sample of the CSV exported (4.5.2021_disableReport.csv)
| # | samAccountName | DistinguishedName | Enabled | Description | action | movedOU |
|---|---|---|---|---|---|---|
| 1 | adelev | CN=Adele Vance,OU=Disabled M365,OU=users,OU=(snip),DC=orbi,DC=home | False | Disabled per: HD-235 | disabled | True |
| 2 | awilber | CN=Alex Wilber,OU=Disabled M365,OU=users,OU=_(snip),DC=orbi,DC=home | False | Disabled per: HD-235 | disabled | True |
| 3 | adeyoung | CN=Allan Deyoung,OU=Disabled M365,OU=users,OU=(snip),DC=orbi,DC=home | False | Disabled per: HD-235 | disabled | True |
Next is a sample of the backup user data that appends to the output text file (4.3.2021_backupUserData.txt)
It’s all of the adusers’s properties before any action is being taken, just in case it needs to be referenced or reverted.
[ show txt file ]
Logic Diagram
