PowerShell/QuickDisableUser.ps1 at main · jkingster/PowerShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<#
.SYNOPSIS
This script disables an Active Directory user account by removing it from all non-ignored AD groups and moving it to a designated "Disabled" Organizational Unit (OU).

.DESCRIPTION
The script performs the following actions:
1. Prompts the administrator to input a username.
2. Searches Active Directory for the specified username.
3. Retrieves all AD groups the user is a member of.
4. Removes the user from all groups, except those specified in the `$IGNORED_AD_GROUP` array (e.g., "Domain Users").
5. Disables the user's account in Active Directory.
6. Moves the disabled user account to a predefined "Disabled" OU (`$DISABLED_OU`).

.PARAMETER $DISABLED_OU
Specifies the Distinguished Name (DN) of the OU where disabled users will be moved. Must be set prior to running the script.

.PARAMETER $IGNORED_AD_GROUP
Defines a list of AD groups that the user will not be removed from during the group removal process.
- Default is Domain Users.

.NOTES
- This script requires the Active Directory PowerShell module to be installed and imported.
- Ensure the script is executed with appropriate permissions to manage AD user accounts and groups.
- The `$DISABLED_OU` variable must be set with the target OU's DN for the script to work correctly.
#>

$DISABLED_OU = ""
$IGNORED_AD_GROUP = @("Domain Users")

Function Read-UsernameInput {
    $username = Read-Host -Prompt "Please enter the username to disable "

    if ([string]::IsNullOrWhiteSpace(($username))) {
        Write-Host "Could not read username: $username" -ForegroundColor RED
        return $null
    }

    return $username
}

Function Get-TargetADUser {
    param(
        [string]$username
    )

    Import-Module ActiveDirectory
    $user = Get-ADUser -Identity $username
    if ($null -eq $user) {
        Write-Host "Could not find user with username: $username" -ForegroundColor RED
        return $null
    }

    Write-Host "User: $username found! Continuing disable process." -ForegroundColor GREEN
    return $user
}

Function Invoke-GroupRemoval {
    param(
        [Microsoft.ActiveDirectory.Management.ADUser]$user
    )

    $groups = Get-ADPrincipalGroupMembership -Identity $user.SamAccountName
    if ($groups.Count -le 0) {
        Write-Host "$($user.SamAccountName) is in 0 groups. Proceeding with disabling." -ForegroundColor Green
        Invoke-UserDisable -user $user
        return
    }

    foreach ($group in $groups) {
        $groupName = $group.Name
        if ($IGNORED_AD_GROUP -contains $groupName) {
            Write-Host "Skipping Group: $groupName (ignored)" -ForegroundColor Cyan
            continue
        }

        Write-Host "Removing Group: $groupName" -ForegroundColor Yellow
        Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
    }

    Invoke-UserDisable -user $user
}

Function Invoke-UserDisable {
    param(
        [Microsoft.ActiveDirectory.Management.ADUser]$user
    )

    Write-Host "Disabling User: $($user.SamAccountName)" -ForegroundColor Yellow
    Set-ADUser -Identity $user -Enabled $false

    Write-Host "Moving user to disabled OU: $DISABLED_OU" -ForegroundColor Yellow
    Move-ADObject -Identity $user.DistinguishedName -TargetPath $DISABLED_OU
}

Function Start-DisableProcess {
    $username = Read-UsernameInput
    if ($null -eq $username) {
        Write-Host "Could not read username." -ForegroundColor Red
        return
    }

    $user = Get-TargetADUser -username $username
    if ($null -eq $user) {
        Write-Host "Could not find AD User." -ForegroundColor RED
        return
    }

    Invoke-GroupRemoval -user $user
}

Start-DisableProcess