Disable a User w/ O365

Going along with the current theme, we need to be able to disable a user. This script is setup for administrators that is interfaced with O365 & Exchange Online. Does the same thing as the other Disable a User script, but forwards the emails on Exchange Online instead of Exchange On Premises.

#(Module 2.02)
Import-Module activedirectory
Import-Module MSOnline

$un = Read-Host "Who are we disabling today? (Login Credentials)" #(Module 2.03)
$man = Read-Host "Who are we forwarding mail to? (Login Credentials)" #(Module 2.04)
$auth = Read-Host "Who are you? (Login Credentials)" #(Module 2.05)

#Resets the old user's password (Module 2.06)
Set-ADAccountPassword -Identity $un -Reset -NewPassword (Read-Host -AsSecureString "Account Password")

#Connects to the Exchange box, forwards the users email account to their supervisor/manager, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -Credential $cred -AllowRedirection #(Module 2.07-Part 1)
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 2.07-Part 2)
Set-Mailbox $un -ForwardingAddress $man -RemovePicture #Sets the forwarding address to the manager and removes their picture (Module 2.08)
Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 2.09)

#Removes License in O365
Connect-MsolService #(Module 2.10)
Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyDomain>.com')) -RemoveLicenses #(Module 2.11)

$dt = get-date #Gets Date & Time (Module 2.12)
$authn = Get-ADUser $auth -Properties DisplayName | select -ExpandProperty DisplayName #Gets the administrators name
$unn = Get-ADUser $un -Properties DisplayName | select -ExpandProperty DisplayName #Gets the disabled users name
$mann = Get-ADUser $man -Properties DisplayName | select -ExpandProperty DisplayName #Gets the managers name

$report = "Human Resources,

The user account for $unn ($un) has been disabled from the company network as of $dt. All email messages will be forwarded to $mann ($man) for now on.

Regards,

$authn ($auth)"
#(Module 2.13)

Send-MailMessage -To HR@<MyDomain>.com, IT@<MyDomain>.com -Subject "Disconnected User Report" -Body $report -From IT@<MyDomain>.com -SmtpServer <YourExchangeURI> #(Module 2.14)

Create a User w/ O365

This script is a modification of my other script. this one does pretty much the same thing, except that it waits about 30 minutes for an AD Sync to occur before it creates the new user’s mailbox in O365. It also manages mailbox sizes, depending on what position they are in, whether they are in management, in IT, or an ordinary user.

Prerequisites:

Microsoft’s Remote Server Administration Tool
Microsoft Online Services Sign-in Assistant
Windows Azure Active Directory Module for Windows PowerShell 64-bit

#Imports the AD & O365 Modules (Module 1.02)
Import-Module activedirectory
Import-Module MSOnline

#Sets Variables (Module 1.03)
$fn #First Name
$ln #Last Name
$title
$dep #Department
$loc #Location
$man #Manager
$un #Username
$officePhone
$streetAdd
$city
$ZIP
$fi #First Name Initial, will be used to figure out Username

#Getting information (Module 1.04)
Write-Host "I need some information from you first. Answer the following questions to get started."
$fn = Read-host "First Name?"
$ln = Read-Host "Last Name?"
$title = Read-Host "Title?"
$dep = Read-Host "Department?"
$man = Read-Host "Manager (Username)?"
$loc = Read-Host "Loc1 or Loc2?"

#Finding out the Username (Module 1.05)
$fi = $fn.Substring(0,1)
$un = -join ($ln, $fi)

#Sets Location information (Module 1.06)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
    $officePhone = "(999) 999-9999";
    $streetAdd = "123 Anywhere Drive";
    $city = "YourTown";
    $ZIP = "12345";
}
Else { #If the user is in Loc2 (Module 1.08)
    $officePhone = "(987) 654-3210";
    $streetAdd = "987 Nothere Blvd";
    $city = "Somewhere Else";
    $ZIP = "98765";
}

#Sets Password (Module 1.09)
$passwd = (Read-Host -AsSecureString "Account Password")
$password = ConvertFrom-SecureString -SecureString $passwd

$userParams = @{ #(Module 1.10)
    'Name' = $un;
    'Enabled' = $true;
    'AccountPassword' = $passwd;
    'UserPrincipalName' = -join ($un, "@mycompany.com");
    'SamAccountName' = $un;
    'ChangePasswordAtLogon' = $false;
    'GivenName' = $fn;
    'Surname' = $ln;
    'DisplayName' = -join ($fn, " ", $ln);
    'Description' = $title;
    'OfficePhone' = $officePhone;
    'StreetAddress' =  $streetAdd;
    'City' = $city;
    'State' = "Texas";
    'PostalCode' = $ZIP;
    'Title' = $title;
    'Department' = $dep;
    'Company' = 'MyCompany';
    'Manager' = $man;
}

#Creates the user in AD (Module 1.11)
New-ADUser @userParams

#Wait for the account to be created before doing anything else (Module 1.12)
Start-Sleep -Seconds 10

#Makes the user's network drive and scan folder (Module 1.13)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14)
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}
Else { #If the user is in Loc2 (Module 1.15)
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}

#Adds the user to the correct Security Group for permissions and other network drives
if ($dep -eq "Accounting"){ #(Module 1.16)
    Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17)
} #Adds the user to the Accounting Group
Elseif ($dep -eq "Customer Service") { #(Module 1.18)
    Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19)
} #Adds the user to the Customer Service Group
Elseif ($dep -eq "Executives") { #(Module 1.20)
    Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21)
} #Adds the user to the Executives Group
Elseif ($dep -eq "HR") { #(Module 1.22)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23)
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "Human Resources") { #(Module 1.24)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25)
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "IT") { #(Module 1.26)
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27)
} #Adds the user to the Domain Admins Group for IT
Elseif ($dep -eq "Maintenance") { #(Module 1.28)
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29)
} #Adds the user to the Maintenance Group
Elseif ($dep -eq "Production") { #(Module 1.30)
    Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31)
} #Adds the user to the Production GroupHR
Elseif ($dep -eq "QA") {  #(Module 1.32)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33)
} #Adds the user to the QA Group
Elseif ($dep -eq "Quality Assurance") {  #(Module 1.34)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35)
} #Adds the user to the QA Group
Elseif ($dep -eq "Shipping") {  #(Module 1.36)
    Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37)
} #Adds the user to the Shipping Group
Else { #(Module 1.38)
    Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39)
} #Dumps the user to the Domain Users Group

$manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40)

#Creates a report of the User's information
$report = "Hello $fn $ln,

From the IT Department, welcome to <MyCompany>.   We
are here to help you connect to the resources that you need for
your job.   If you need assistance with technology, please feel
free to contact us at either the help page, which is set as your
home page in Internet Explorer, email us at
[email protected]<MyCompany>.com, or call us at extension 4357.

Below you will find your information so that you can login to
the network and get started:

Your username is domain\$un
Your password is
Your email address is [email protected]<MyCompany>.com
Your phone number is $officePhone Ext.

It is suggested that you change your password to something that
you can remember but difficult enough that somebody else cannot
figure out.   The requirement is only 6 characters, but we do
advise on making it longer, throw some numbers and special
characters in there as well to make it stronger.   Best advice
would be to use a pass-PHRASE instead of a pass-WORD.

Your computer should already be setup with your email loaded and
your network drives.   At <MyCompany>, we use Microsoft
Outlook as the email client.   Depending on what department you
are in will depend on what drives you have available.  
Generally, everybody will have an F: drive and a G: drive.   The
F: drive is your network folder.   Place in there the documents
that you feel you cannot do your job without.   In the F: drive
will be a scan folder.   When you go to the Xerox to scan in
documents, then you will find them in your scan folder.   The G:
drive is a company-wide shared folder.  As for your department
drives, it would be best to talk with $($manfn.name),
your supervisor/manager, about the nature and uses of these drives.

The use of the equipment and resources provided are a privilege
to you for use and should not be taken advantage of.   There are
measures set in place that allows us to manage the network.   Do
not assume that there is any personal privacy on this network.  
The only privacy that you can assume is for the nature of your
work.   All information (including emails, documents,
spreadsheets, pictures, etc.) contained on the equipment
provided and on the network is the sole property of MyCompany.

If you have problems with your equipment or network resources,
please feel free to ask.   We do not mind helping, but we cannot
help if we do not know, so please ask!

Sincerely,


Your IT Department"


if ($loc -eq "Loc1") { #(Module 1.43)
    Write-Output $report | Out-Printer
}
Else { #(Module 1.44)
    Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260'
}

#Invoke a Sync (Module 1.45)
Invoke-Command -ComputerName <ADSync Server> {Start-ADSyncSyncCycle -PolicyType Delta}
Start-Sleep -Seconds 60

#Connect to O365 and licenses the user
Connect-MsolService #(Module 1.46)
Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47)

#Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1)
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2)
enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49)
IF ($dep -eq "Executives") { #(Module 1.50)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51)
} #If they are an executive, then they get 20 GB of mailbox space
elseif ($dep -eq "IT") { #(Module 1.52)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53)
} #IT gets the full mailbox, of course
else { #(Module 1.54)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55)
} #Otherwise, everybody else gets 10 GB of mailbox space
Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)

Disabling a User

It’s hard to create a user, but its REALLY easy to disable a user’s account. That is exactly what this script does. Well…it doesn’t “disable” the user’s account, but it does make it impossible for the user to login to the network without help from IT. Basically, this script will ask 4 things from you. It will ask you who you are disabling, who their manager is, who you are, and a password to change the user’s account to. It will then create an email to be sent to you and HR, informing HR of who has changed the user’s password, and when. That way they can be assured that all technical resources owned by the company are kept safe as the user is leaving the network, if not the company.

This script assumes a few things:
1) You at least have Exchange Admin rights in order to connect and send the email.
2) You have Domain Admin rights in order to change the user’s password.
3) You have 2 distribution groups (HR & IT) with the necessary personnel in each group.
4) Your Exchange server is on premises.

As usual, everything is commented and sterilized for your usage.

Import-Module activedirectory

$un = Read-Host "Who are we disabling today? (Login Credentials)" #username
$man = Read-Host "Who are we forwarding mail to? (Login Credentials)" #manager's username
$auth = Read-Host "Who are you? (Login Credentials)"

#Resets the old user's password
Set-ADAccountPassword -Identity $un -Reset -NewPassword (Read-Host -AsSecureString "Account Password")

#Connects to the Exchange box, forwards the users email account to their supervisor/manager, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchange/powershell -name Exchange -Authentication Kerberos -Credential $cred
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
Set-Mailbox $un -ForwardingAddress $man -RemovePicture #Sets the forwarding address to the manager and removes their picture
Remove-PSSession -Session $mail #Disconnects from the Exchange box

$dt = get-date #Gets Date & Time
$authn = Get-ADUser $auth -Properties DisplayName | select -ExpandProperty DisplayName #Gets the administrators name
$unn = Get-ADUser $un -Properties DisplayName | select -ExpandProperty DisplayName #Gets the disabled users name
$mann = Get-ADUser $man -Properties DisplayName | select -ExpandProperty DisplayName #Gets the managers name

$report = "Human Resources,

The user account for $unn ($un) has been disabled from the company network as of $dt. All email messages will be forwarded to $mann ($man) for now on.

Regards,

$authn ($auth)"

Send-MailMessage -To [email protected], [email protected] -Subject "Disconnected User Report" -Body $report -From [email protected] -SmtpServer Exchange

Creating a User

User Management is important in any organization, especially when they have ActiveDirectory deployed in their environment. Any way of automation can be very helpful in saving time, reducing errors, and making sure that all of the tasks that are involved with creating a user are completed.

I understand that this whole script will not suite everybody, but I know that there are pieces in here that are going to be more valuable to some than others. If there is anything in here that would provide a value to you, by all means, you are more than welcome to use it. The whole script is commented and are sectioned off into modules that relates to a flowchart for this script. Maybe one day I can post the flowchart as well. This one is designed to interact with an Exchange server that is on-premises (in house, not O365/Exchange Online). I do have another script similar to this one but is written for O365/Exchange Online instead of Exchange On-Premises.

#Imports the AD
Import-Module activedirectory

#Sets Variables
$fn #First Name
$ln #Last Name
$title
$dep #Department
$loc #Location
$man #Manager
$un #Username
$officePhone
$streetAdd
$city
$ZIP
$fi #First Name Initial, will be used to figure out Username

#Getting information
$fn = Read-host "First Name?"
$ln = Read-Host "Last Name?" #Special characters have not been tested. I would suggest not using special characters in last names in AD. In theory, its probably okay, but I have not yet tested it.
$title = Read-Host "Title?"
$dep = Read-Host "Department?"
$man = Read-Host "Manager (Username)?"
$loc = Read-Host "Loc1 or Loc2?" #If you need to add locations, make sure that you also edit modules 1.06 - 1.08 to conform to the new logic.

#Finding out the Username
$fi = $fn.Substring(0,1)
$un = -join ($ln, $fi)

#Sets Location information (Module 1.06)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
    $officePhone = "(999) 999-9999";
    $streetAdd = "123 Anywhere Drive";
    $city = "YourTown";
    $ZIP = "12345";
}
Else { #If the user is in Loc2 (Module 1.08)
    $officePhone = "(987) 654-3210";
    $streetAdd = "987 Nothere Blvd";
    $city = "Somewhere Else";
    $ZIP = "98765";
}

#Sets Password
$passwd = (Read-Host -AsSecureString "Account Password")
$password = ConvertFrom-SecureString -SecureString $passwd

$userParams = @{
    'Name' = $un;
    'Enabled' = $true;
    'AccountPassword' = $passwd;
    'UserPrincipalName' = -join ($un, "@.com");
    'SamAccountName' = $un;
    'ChangePasswordAtLogon' = $false;
    'GivenName' = $fn;
    'Surname' = $ln;
    'DisplayName' = -join ($fn," ",$ln);
    'Description' = $title;
    'OfficePhone' = $officePhone;
    'StreetAddress' = $streetAdd;
    'City' = $city;
    'State' = "Texas";
    'PostalCode' = $ZIP;
    'Title' = $title;
    'Department' = $dep;
    'Company' = '';
    'Manager' = $man;
}

#Creates the user in AD
New-ADUser @userParams

#Wait for the account to be created before doing anything else
Start-Sleep -Seconds 10

#Makes the user's network drive, scan folder, and sets the permissions to their folders and files
if ($loc -eq "Loc1") { #If the user is in Loc1
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}
Else { #If the user is in Loc2
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}

#Adds the user to the correct Security Group for permissions and other network drives
if ($dep -eq "Accounting"){
    Add-ADGroupMember -Identity 'Accounting' -Members $un
} #Adds the user to the Accounting Group
Elseif ($dep -eq "Customer Service") {
    Add-ADGroupMember -Identity 'Customer Service' -Members $un
} #Adds the user to the Customer Service Group
Elseif ($dep -eq "HR") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "Human Resources") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "IT") {
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un
} #Adds the user to the Domain Admins Group for IT
Elseif ($dep -eq "Maintenance") {
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un
} #Adds the user to the Maintenance Group
Elseif ($dep -eq "Production") {
    Add-ADGroupMember -Identity 'Production' -Members $un
} #Adds the user to the Production Group
Elseif ($dep -eq "QA") {
    Add-ADGroupMember -Identity 'QA Group' -Members $un
} #Adds the user to the QA Group
Elseif ($dep -eq "Quality Assurance") {
    Add-ADGroupMember -Identity 'QA Group' -Members $un
} #Adds the user to the QA Group
Elseif ($dep -eq "Shipping") {
    Add-ADGroupMember -Identity 'SHIP' -Members $un
} #Adds the user to the Shipping Group
Else {
    Add-ADGroupMember -Identity 'Domain Users' -Members $un
} #Dumps the user to the Domain Users Group

#Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange/powershell -name -Authentication Kerberos -Credential $cred
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
Enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox
Remove-PSSession -Session $mail #Disconnects from the Exchange box

$manfn = Get-ADUser $man -Properties GivenName | select GivenName #Gets the managers first name
$manln = Get-ADUser $man -Properties SurName | select SurName #Gets the managers last name

#Create a report of the User's information
$report = "Hello $fn $ln,

From the IT Department, welcome to . We
are here to help you connect to the resources that you need for
your job. If you need assistance with technology, please feel
free to contact us at either the help page, which is set as your
home page in Internet Explorer, email us at
[email protected], or call us at extension 4357.

Below you will find your information so that you can login to
the network and get started:

Your username is \$un
Your password is
Your email address is [email protected]
Your phone number is $officePhone Ext.

It is suggested that you change your password to something that
you can remember but difficult enough that somebody else cannot
figure out. The requirement is only 6 characters, but we do
advise on making it longer, throw some numbers and special
characters in there as well to make it stronger. Best advice
would be to use a pass-PHRASE instead of a pass-WORD.

Your computer should already be setup with your email loaded and
your network drives. At , we use Microsoft
Outlook as the email client. Depending on what department you
are in will depend on what drives you have available.
Generally, everybody will have an F: drive and a G: drive. The
F: drive is your network folder. Place in there the documents
that you feel you cannot do your job without. In the F: drive
will be a scan folder. When you go to the Xerox to scan in
documents, then you will find them in your scan folder. The G:
drive is a company-wide shared folder. As for your department
drives, it would be best to talk with $($manfn.name),
your supervisor/manager about the nature and uses of these drives.

The use of the equipment and resources provided are a privilege
to you for use and should not be taken advantage of. There are
measures set in place that allows us to manage the network. Do
not assume that there is any personal privacy on this network.
The only privacy that you can assume is for the nature of your
work. All information (including emails, documents,
spreadsheets, pictures, etc.) contained on the equipment
provided and on the network is the sole property of .

If you have problems with your equipment or network resources,
please feel free to ask. We do not mind helping, but we cannot
help if we do not know, so please ask!

Sincerely,

Your IT Department"

if ($loc -eq "Loc1") {
    Write-Output $report | Out-Printer \\server\Printer
}
Else {
    Write-Output $report | Out-Printer \\server\Printer
}