Archive user

We have a script that does the following to "archive" a user. Kind of the opposite of the ARM onboarding template.

  • Renames login, email, proxy-email, profile path by appending -archive to those attributes.
  • Disables their account.
  • Removes them from selected groups.
  • Moves them into a separate OU.
  • Converts their mailbox to a shared mailbox.

Does ARM offer anything like this? Is anything in the works?

Parents
  • Hi Nicholse,

    of the things you listed ARM does currently support disabling the account and moving it to a separate OU via the "Soft delete" action.

    But as part of that action you can also additionally run a script which could do the other steps.

  • I dont claim to be a powershell guru and Im sure this has faults but here is what I came up with. If you have something better Im all ears.:

    param ($samaccountname)
    
    import-module activedirectory
    
    #remove the user from all groups
    #Get-ADPrincipalGroupMembership $samaccountname
    Get-ADPrincipalGroupMembership $samaccountname | foreach {Remove-ADGroupMember $_ -Members $samaccountname -Confirm:$false}
    
    #get the existing proxyaddresses into a variable
    $User = get-ADUser -Identity $samaccountname -Properties proxyaddresses, mail
    $proxyAddresses = $User.proxyAddresses
    
    #do this here because doing it inline with set-aduser causes bad format
    $Email = $User.mail.replace('@','-archive@')
    
    #clear the proxyaddresses
    Set-ADUser $samaccountname -Clear ProxyAddresses
    
    #samaccount name cant exceed 20 char hence the substring(0,20)
    #set the new proxyaddresses with a + -archive to the previous ones
    #reanme the users samaccount name and upn by adding "-archive"
    Set-ADUser -Identity $samaccountname -Email $Email -SamAccountName ($samaccountname + "-archive").substring(0,20) -UserPrincipalName "$samaccountname-archive@thwack.com" -Add @{proxyAddresses=$proxyAddresses.replace('@','-archive@')}

Reply
  • I dont claim to be a powershell guru and Im sure this has faults but here is what I came up with. If you have something better Im all ears.:

    param ($samaccountname)
    
    import-module activedirectory
    
    #remove the user from all groups
    #Get-ADPrincipalGroupMembership $samaccountname
    Get-ADPrincipalGroupMembership $samaccountname | foreach {Remove-ADGroupMember $_ -Members $samaccountname -Confirm:$false}
    
    #get the existing proxyaddresses into a variable
    $User = get-ADUser -Identity $samaccountname -Properties proxyaddresses, mail
    $proxyAddresses = $User.proxyAddresses
    
    #do this here because doing it inline with set-aduser causes bad format
    $Email = $User.mail.replace('@','-archive@')
    
    #clear the proxyaddresses
    Set-ADUser $samaccountname -Clear ProxyAddresses
    
    #samaccount name cant exceed 20 char hence the substring(0,20)
    #set the new proxyaddresses with a + -archive to the previous ones
    #reanme the users samaccount name and upn by adding "-archive"
    Set-ADUser -Identity $samaccountname -Email $Email -SamAccountName ($samaccountname + "-archive").substring(0,20) -UserPrincipalName "$samaccountname-archive@thwack.com" -Add @{proxyAddresses=$proxyAddresses.replace('@','-archive@')}

Children
No Data