What I don't like about this script:
1) It has to be run multiple times to process multiple staff. I'd prefer if I could input multiple employee numbers at once
2) It takes so long to search for the user. If I use the script, it can currently take 30s to find the employee. When I use ADUC to run the "(&(objectCategory=user)(objectClass=user)(employeeID=17688))" search, the results are immediate.
3) I'd like it to look through all the chosen employee numbers before replicating the domain.
4) The end of the powershell script calls a batch file because the syntax in the batch file didn't work in powershell. Can the batch file commands be included directly in the powershells script?
5) The batch file references all of our DC's to minimize replication latency. Can it be simplified while ensuring all DC's are hit ASAP?
Here is the powershell script:
#Disable User
# Add the Quest ActiveRoles Management Shell snap-in to recognize extended commands Add-PSSnapin Quest.ActiveRoles.ADManagement # Take first commandline argument which is the employeeID and assign it to the $empID variable $empID=$Args[0] # Search for the EmployeeID and find the matching NTAccountName (NBDomain\*) [This takes about 30 seconds for 1400 users] Write-Host "Searching for the User which matches Employee ID $EmpID, you have about 30 seconds to press Ctrl-C to cancel..." $user = get-qaduser -includedproperties employeeID,samaccountname -sizelimit 0 | where {$_.employeeID -eq $empID} # Find the matching SAMAccountname $samaccountname = $user.samaccountname # Find the matching DN $SourceDN = $user.dn # Set where the disabled account will be moved $DestDN = "OU=Disabled Accounts,DC=domain,DC=Com" # Set recipient limits to 0 set-mailbox -identity $samaccountname -recipientlimits 0 Write-host $User Recipient Limit set to 0. # Disable all mailbox features except archive set-casmailbox -identity $samaccountname -owaenabled $false -ewsenabled $false -ecpenabled $false -mapienabled $false -mapiblockoutlookrpchttp $true -ewsallowmacoutlook $false -ewsallowoutlook $false set-casmailbox -identity $samaccountname -activesyncenabled $false -popenabled $false -imapenabled $false Write-host $User Exchange features disabled. # Block all devices associated with the mailbox: $DeviceIDs = (Get-ActiveSyncDeviceStatistics -Mailbox $SourceDN | foreach { $_.DeviceID } ) Set-CASMailbox -Identity $SourceDN -ActiveSyncBlockedDeviceIDs $DeviceIDs Write-Host $User All approved devices have been blocked. # Remove all devices associated with the mailbox: Set-casmailbox -identity $samaccountname -ActiveSyncAllowedDeviceIDs $null Write-Host $User All ActiveSync devices removed from mailbox. #Disable the user Disable-QADUser $user Write-Host $user account disabled. # Move the user to the Disabled OU Dsmove $SourceDN -newparent $DestDN Write-Host $User account moved to Disabled OU. Write-host Finished processing user $User Write-host "" Write-host "Replicating the enterprise domain across sites..." cd "C:\Users\username\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Admin Tools" .\"Force DC replication.cmd" cd "c:\scripts" pause
