When an associate terminates from our company, a script runs to hide them from the GAL and update the wWWHomePage attribute to "Updated_by_GroupID". I've created this script that will look for those two items along with they have an email address and that they have an exchange home mail server.
My biggest concern is that if not coded properly, this script has the ability to cause some damage.
One particular area i'm concerned with is the Move-ADOBject and how the Identity is not enclosed in quotations. By not enclosing it in quotes, my fear is that when the distinguished name is listed, if
there's a space (which there most certainly will be), powershell will get to that space and treat the info it has found as a completely different user causing a wrong account to be moved. If I enclose the variable in quotes, the ADObject move will not
work.
I'd appreciate any feedback.
#Finds all users who have the AD attributes
# wWWHomePage = Updated_by_GroupID
# msExchHideFromAddressLists = True
# msExchHomeServerName not empty
# emailaddress contains @myDomain.com
$users = Get-ADUser -properties name, emailaddress -Filter {(HomePage -eq "Updated_by_GroupID") -and (msExchHideFromAddressLists -eq $true) -and (emailaddress -like "*@myDomain.com") -and (msExchHomeServerName -ne "$null")}
$users.name -Replace '^cn=([^,]+).+$','$1'
#loops through all users
foreach ($user in $users){
$user.name -Replace '^cn=([^,]+).+$','$1'
# Removes user from all AD groups except Domain Users.
$ADgroups = Get-ADPrincipalGroupMembership -Identity $user | where {$_.Name -ne "Domain Users"}
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $ADgroups -Confirm:$false
#Disables their Exchange Mailbox.
Disable-Mailbox -Identity $user
#Moves their AD user object to disabled OU.
Move-ADObject -Identity $user.DistinguishedName -TargetPath "OU For Disabled Users" -Confirm:$true
}