Archive user

We have a script that does the following to "archive" a user. Kind of the opposite of the ARM onboarding template.

  • Renames login, email, proxy-email, profile path by appending -archive to those attributes.
  • Disables their account.
  • Removes them from selected groups.
  • Moves them into a separate OU.
  • Converts their mailbox to a shared mailbox.

Does ARM offer anything like this? Is anything in the works?

Parents
  • Hi Nicholse,

    of the things you listed ARM does currently support disabling the account and moving it to a separate OU via the "Soft delete" action.

    But as part of that action you can also additionally run a script which could do the other steps.

Reply
  • Hi Nicholse,

    of the things you listed ARM does currently support disabling the account and moving it to a separate OU via the "Soft delete" action.

    But as part of that action you can also additionally run a script which could do the other steps.

Children
  • Thanks 8paul, how / where in ARM do I interact with this feature?

  • The Soft Delete action itself is available via right click on the account object. To run additional scripts when executing the action you need to configure the script in the "Scripting" section of the ARM config.

    Should look something like this:

  • I dont claim to be a powershell guru and Im sure this has faults but here is what I came up with. If you have something better Im all ears.:

    param ($samaccountname)
    
    import-module activedirectory
    
    #remove the user from all groups
    #Get-ADPrincipalGroupMembership $samaccountname
    Get-ADPrincipalGroupMembership $samaccountname | foreach {Remove-ADGroupMember $_ -Members $samaccountname -Confirm:$false}
    
    #get the existing proxyaddresses into a variable
    $User = get-ADUser -Identity $samaccountname -Properties proxyaddresses, mail
    $proxyAddresses = $User.proxyAddresses
    
    #do this here because doing it inline with set-aduser causes bad format
    $Email = $User.mail.replace('@','-archive@')
    
    #clear the proxyaddresses
    Set-ADUser $samaccountname -Clear ProxyAddresses
    
    #samaccount name cant exceed 20 char hence the substring(0,20)
    #set the new proxyaddresses with a + -archive to the previous ones
    #reanme the users samaccount name and upn by adding "-archive"
    Set-ADUser -Identity $samaccountname -Email $Email -SamAccountName ($samaccountname + "-archive").substring(0,20) -UserPrincipalName "$samaccountname-archive@thwack.com" -Add @{proxyAddresses=$proxyAddresses.replace('@','-archive@')}