Home > PowerShell, SharePoint 2010, SharePoint Administration > PowerShell Script to Send Email Notifications and Automatically Move and Disable SharePoint Users in Active Directory

PowerShell Script to Send Email Notifications and Automatically Move and Disable SharePoint Users in Active Directory

While I’m very aware of Microsoft® Forefront® Identity Managers (FIM) powers to handle SharePoint User Provisioning, FIM is not yet setup in my environment to utilize, so for the time being I needed to create a PS script to identity “Stale” accounts in Active Directory for external users who have not authenticated to the portal in a given time.  The policy is to notify users who have not authenticated to the portal in (50, 60, 80, 90) days and then move these identified users to a “disabled” OU in AD and disable their accounts.  Below is the script I used to accomplish this.
You would replace the values highlighted in RED with your own.

——————————————————————————————————————

$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.PageSize = 1000
$ADSearch.SearchScope = “subtree”
#AD Path to the Portal Users OU in Active Directory
$ADSearch.SearchRoot = “LDAP://OU=OU,OU=OU,OU=OU,DC=DC,DC=DC
$daysOld = 1

$today = Get-Date
$daywarning = Get-Date
$oldestValidLogon = $today.AddDays(-$daysOld)
$EmailSentDate = $today.tostring(“MM-dd-yyyy”)

#Create .csv file to hold PortalUsers in AD.
$logFile
= “d:\Portal\PortalUsers_” + $EmailSentDate + “.csv”

“DisplayName `t” + “SamAccountName `t” + “Phone `t” + “Mail `t” + “Days InActive `t” + “LastLogon `t” + “Directorate `t” + “DN `t” + “Description” >> $logFile

#Create txt file of Disabled Portal Users.
$DisabledEmailSent
= “d:\Portal\Portal-DisabledUsers_” + $EmailSentDate + “.txt”
#Create txt file of Deleted Portal Users.
$DeletedEmailSent = “d:\Portal\Portal-DeletedUsers_” + $EmailSentDate + “.txt”

——————————————————————————————————————

$ADSearch.Filter = “(objectClass=user)”
$ADSearch.PropertiesToLoad.Add(“distinguishedName”)
$ADSearch.PropertiesToLoad.Add(“sAMAccountName”)
$ADSearch.PropertiesToLoad.Add(“lastLogonTimeStamp”)
$ADSearch.PropertiesToLoad.Add(“displayName”)
$ADSearch.PropertiesToLoad.Add(“mail”)
$ADSearch.PropertiesToLoad.Add(“telephoneNumber”)
$ADSearch.PropertiesToLoad.Add(“description”)

$userObjects = $ADSearch.FindAll()

foreach ($user in $userObjects)
{
$dn = $user.Properties.Item(“distinguishedName”)
$displayName = $user.Properties.Item(“displayName”)
$mail = $user.Properties.Item(“mail”)
$phone = $user.Properties.Item(“telephoneNumber”)
$sam = $user.Properties.Item(“sAMAccountName”)
$logon = $user.Properties.Item(“lastLogonTimeStamp”)
$description = $user.Properties.Item(“description”)

#Get Last Logon Time Stamp
if($logon.Count -eq 0)
{
$lastLogon = “Never”
}
else
{
$lastLogon = [DateTime]$logon[0]
$lastLogon = $lastLogon.AddYears(1600)

}

#Get InActive Dates
if($lastLogon -lt $oldestValidLogon)
{
$inActive = $oldestValidLogon$lastLogon

$inActive = $inActive.Days

[string]$Dir = $dn

#Formating $dn to be “readable” in .csv file
if ($Dir -like “*OU=CAC_Accounts*”)
{
$Dir = “CAC_Accounts”

}
if ($Dir -like “*Disabled External Accounts*”)
{
$Dir = “Disabled External Accounts”

}
if ($Dir -like “*Non_CAC_Accounts*”)
{
$Dir = “Non_CAC_Accounts”
}

#Get Warning Dates 10 days out before Disable/Delete
$warning
= $daywarning.AddDays(10)
$warning = $warning.tostring(“MM/dd/yyyy”)

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 50 DAYS

if ($inActive -eq 50)
{

$emailFrom = “EMAIL FROM ACCOUNT
$emailTo = “$mail
$subject = “Portal Account Inactivity Reminder – Day 50”
$body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 50 days. You must login to the portal in the next 10 days or your account will be disabled on $warning.`r`n`r`nThank You.”
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($emailFrom, $emailTo, $subject, $body)

}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 60 DAYS, MOVE AND DISABLE USER ACCOUNT

if ($inActive -eq 61)
{

$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“$mail“)
$email.Subject = “Portal Account Inactivity – Account Disabled”
$email.Body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 60 days. Your account has been temporarily disabled.`r`n`r`nPlease go to URL OF REGISTER SITE for instructions on how to recover your CAC or username/password account. You can also contact the help desk via email at HELP DESK EMAIL if you have questions or need assistance.`r`n`r`nThank You.”

$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($email)

#MOVE USERS TO DISABLED OU IN ACTIVE DIRECTORY AND DISABLE ACCOUNT

$ADSPath = $user.Properties.adspath

“UsersToMove: ” + $ADSPath >> “d:\Portal\UsersToMove.txt”

#LDAP path to disabled OU in Active Directory
$MoveToOU
= [ADSI](“LDAP://OU=OU,OU=OU,OU=OU,OU=OU,DC=DC,DC=DC“)

$AUser = [ADSI](“$ADSPath“)

# Command to Do the actual move
$AUser.PSBase.moveto($MoveToOU)

# Command to Disable Account
$AUser.PSBase.InvokeSet(“AccountDisabled”, $true)
$AUser.SetInfo()

“DisplayName ” + $displayname + ” – ” + “Directorate ” + $Dir >> $DisabledEmailSent
}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 80 DAYS

if ($inActive -eq 80)
{

$emailFrom = “EMAIL FROM ACCOUNT
$emailTo = “$mail
$subject = “Portal Account Inactivity Reminder – Day 80”
$body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 80 days. You must recover and login with your account in the next 10 days or your account will be deleted on $warning.`r`n`r`nPlease go to URL OF REGISTER SITE for instructions on how to recover your CAC or username/password account. You can also contact the help desk via email at EMAIL OF HELP DESK if you have questions or need assistance.`r`n`r`nThank You.”
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 90 DAYS
if ($inActive -eq 91)
{

$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“$mail“)
$email.Subject = “Portal Account Inactivity – Account Deleted”
$email.Body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 90 days. Your account has been deleted.`r`n`r`nIf you still require a portal account please go to URL OF REGISTER SITE to request a CAC or username/password account. You can also contact the help desk via email at URL OF HELP DESK if you have questions or need assistance.`r`n`r`nThank You.”

$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($email)

“DisplayName ” + $displayname + ” – ” + “Directorate ” + $Dir >> $DeletedEmailSent
}
$displayName” + “`t” + “$sam” + “`t” + “$phone” + “`t” + “$mail” + “`t” + “$inActive” + “`t” + “$lastLogon” + “`t” + “$Dir” + “`t” + “$dn” + “`t” + “$description” >> $logFile
}
}

——————————————————————————————————————

#EMAIL ACCOUNT PROVISIONING ADMINS ON WHO WAS DISABLED OR DELETED, WITH ATTACHMENTS OF USERS AFFECTED.

$att1 = New-Object Net.Mail.Attachment($DisabledEmailSent)
$att2 = New-Object Net.Mail.Attachment($DeletedEmailSent)
$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“EMAIL OF ACCOUNT OWNERS“)
$email.Subject = “Portal Accounts Report – Disabled and Deleted Accounts”
$email.Body = “The following Portal accounts have been Disabled or Deleted. These users have been notified. Please see attached files, for accounts affected.”
$email.Attachments.Add($att1)
$email.Attachments.Add($att2)
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($email)

——————————————————————————————————————

Advertisements
  1. October 15, 2015 at 1:21 pm

    Can you please update the script with deleting the user account part as at 90days we are sending email but we have no commands that are deleting it. I think the similar script in my case. Can you please help me in this

  2. Satish
    November 9, 2015 at 1:36 pm

    Thank you so much for all the help. Sorry I checked it late. Once great script !

  1. October 16, 2015 at 9:02 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: