Announcement

Collapse
No announcement yet.

Automating the leaver process

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Automating the leaver process

    Im looking to automate our leaver process more to save time. Ideally I want to be able to point a script at a csv file and it do the following (or as much of the following as possible)
    • Disable AD account
    • Reset the P/W
    • Remove the groups
    • Delete any text in the office field
    • Add text to the Description field – this would say something like “Delete after 01/02/14” the date would be 4 weeks from today so this will change depending on todays date.
    • Move AD account to a specific OU

    The above process is taking me just over an hour each week which is time Id rather not be spending on mundane tasks.


    We receive a weekly email from HR with the users I need to disable which contains their email address.


    Can anyone point me in the right direction on how to script this?


    Thanks in advance

  • #2
    Re: Automating the leaver process

    You can do this with a (relatively simple) shell script. Locating an account object based on the e-mail address is a job for dsquery:
    Code:
    dsquery * -filter "(proxyAddresses=smtp:<[email protected]>)" -attr distinguishedName | find /v "distinguishedName"
    This will return the name of the account. The "find" command removes the column header, leaving only the Distinguished Name. You can put this in a batch file and store the account in a variable:
    Code:
    @echo off
    setlocal
    
    for /f %%a in ('dsquery * -filter "(proxyAddresses=smtp:%1)" -attr distinguishedName ^| find /v "distinguishedName"') do set account=%%a
    :removeleadingspaces
    if "%account:~-1%"==" " set account=%account:~1,-1%
    if "%account:~-1%"==" " goto removeleadingspaces
    
    if "%account%"=="" exit
    Calling this script with the e-mail address as a parameter will fetch the Distinguished Name of the corresponding account from Active Directory and store it in the %account% variable. You can then simply perform the required operations on "%account%". The only non-trivial part is calculating the date 14 days into the future (which I'm sure can be easily done in PowerShell):
    Code:
    rem disable account
    dsmod user "%account%" -disabled yes
    
    
    rem set password
    dsmod user "%account%" -pwd SomePassword
    
    
    rem remove group membership
    for %%a in ('dsget user "%account%" -memberOf') do dsmod group "%%a" -rmmbr "%account%"
    
    
    rem delete text in the "Office" field
    dsmod user "%account%" -office ""
    
    
    rem add description
    rem involves converting the current date into a Julian date, adding 14,
    rem and converting back (thanks to stackoverflow.com)
    
    set /A yy=%date:~-4%, mm=1%date:~-7,2% %% 100, dd=1%date:~-10,2% %% 100
    set /A a=mm-14, julian=(1461*(yy+4800+a/12))/4+(367*(mm-2-12*(a/12)))/12-(3*((yy+4900+a/12)/100))/4+dd-32075
    set /A julian=%julian%+14
    set /A l=%julian%+68569,n=(4*l)/146097,l=l-(146097*n+3)/4,i=(4000*(l+1))/1461001,l=l-(1461*i)/4+31,j=(80*l)/2447,dd=l-(2447*j)/80,l=j/11,mm=j+2-(12*l),yy=100*(n-49)+i+l
    if %dd% lss 10 set dd=0%dd%
    if %mm% lss 10 set mm=0%mm%
    
    rem change date format to suit your preferences
    set deletedate=%yy%-%mm%-%dd%
    
    dsmod user "%account%" -desc "Delete after %deletedate%"
    
    
    rem move account object to a specific OU
    dsmove "%account%" -newparent "OU=<someOU>,DC=domain,DC=etc"
    By the way, are you sure you really want to reset the password and remove all group memberships from the account? If the idea is to keep the account object around for 14 days just in case it may have to be reactivated, removing it from all groups will probably render the account useless.

    Deactivating the account and adding a descriptive text should suffice. Resetting the password may seem like a reasonable measure, but only if the value is kept secret or even better, a random value is used for each account.
    Last edited by Ser Olmy; 13th January 2014, 15:48.

    Comment


    • #3
      Re: Automating the leaver process

      Originally posted by Ser Olmy View Post
      By the way, are you sure you really want to reset the password and remove all group memberships from the account? If the idea is to keep the account object around for 14 days just in case it may have to be reactivated, removing it from all groups will probably render the account useless.

      Deactivating the account and adding a descriptive text should suffice. Resetting the password may seem like a reasonable measure, but only if the value is kept secret or even better, a random value is used for each account.
      Totally agree.

      Deland01, what version of Windows are your servers? Using a PowerShell script would be ideal.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Automating the leaver process

        Guys,

        Thanks so much for this, I also agree with keeping group memberships but we have a contractual obligation to remove the groups when we disable the accounts. I’m going to highlight the risk of not doing this when I’m next in the office. We have everything audited and logged so we'd easily be able to see who changed what so it seems un necessary to also remove the groups.

        How would the script know where to look for the AD accounts I need this to pull the accounts from an excel spreadsheet / csv we are sent each week.

        Also when you say this is a shell script will this alal work in Powershell?

        We have Win 2008R2 DC's & I think a Win 2012 DC but also have Win 2003 & Win 2012 servers

        Thanks
        Last edited by Deland01; 14th January 2014, 10:12.

        Comment


        • #5
          Re: Automating the leaver process

          Save the Excel sheet as a CSV file, and you can do this:
          Code:
          for /f "tokens=1 delims=," %a in (csvfile.txt) do <something> %~a
          The number after "tokens=" is the number of the column containing the mail addresses. The character(s) behind "delims=" is/are the delimiter(s). The tilde character in "%~a" strips any existing quotes around the data in the CSV file.

          If the batch file is saved as "disable.cmd" and the CSV file "accounts.txt" has the mail address in the 6th column, this would do the job:
          Code:
          for /f "tokens=6 delims=," %a in (accounts.txt) do disable.cmd %~a
          The relationship between PowerShell and the legacy command line is somewhat strained. Apparently, PowerShell was originally meant to be an extension of cmd.exe, but the PowerShell team couldn't get permission to alter the cmd.exe code, as it was handled by another team.

          Most semi-advanced cmd files will fail to execute in a PowerShell environment, as the syntax for many common commands have changed. The good news is that cmd files will run in any version of Windows.

          Comment


          • #6
            Re: Automating the leaver process

            Thanks, I'll give this a try when Im back in the office.

            Comment


            • #7
              Re: Automating the leaver process

              As Ser Olmy said, it isn't PowerShell.

              But I suggest using PowerShell if you can and writing the script using it. It is much more precise when parsing information and using it and it is much more robust too. It will be a lot easier to maintain, modify, and integrate than a batch script.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X