Account Provisioning/Deprovisioning from single CSV

This topic contains 2 replies, has 3 voices, and was last updated by  Curtis Smith 1 month, 1 week ago.

  • Author
    Posts
  • #77404

    Nathan Stewart
    Participant

    I've got a bit of a weird one...
    We have a group of field employees who are not part of the corporate office, and are not issued AD accounts or company email addresses. Because of the volume of turnover at these field locations, our HR department does notify us of each individual user activation/deactivation. Until now it didn't matter because they did not have AD accounts. However...

    As our business has grown, we are now using Concur, UltiPro, and several other systems that these field employees need access to. The way that HR wants to handle user on-boarding/off-boarding (and was agreed by leadership) is that they dump a CSV from their system with the necessary employee info to provision accounts, and have us pull this data to provision/de-provision accounts based on the "isactive" column. Straightforward, right? Here's the twist... This CSV has multiple entries for employees that have changed roles/job titles within the company. One line shows that the user is inactive (old role), and the other shows active (current role). So I need help in figuring a way to remove accounts of inactives without removing the accounts of those who have only changed roles.

    My idea: Set up an array of active users, and an array of inactive users and do some sort of comparison that only deactivates if the "isactive" column is not set to true in the other array. Something like:

     
     $users = import-csv -path \\blah\thing.csv
     $inactiveusers = @()
     $activeusers = @()
    
     foreach ($user in $users) 
                {
                 if (($user.location -eq "Field") -and ($user.isactive -eq "true"))
                           {
                            $obj1 = [pscustomobject]@{"firstname"=$user.first; "lastname"=$user.last; "UPNPrefix"=$user.username; "location"=$user.location; "IsActive"=$user.isactive}
                            $inactiveusers += $obj1
                            }
                }
    
     foreach ($user in $users) 
                {
                 if (($user.location -eq "Field") -and ($user.isactive -eq "true"))
                           {
                            $obj1 = [pscustomobject]@{"firstname"=$user.first; "lastname"=$user.last; "UPNPrefix"=$user.username; "location"=$user.location; "IsActive"=$user.isactive}
                            $activeusers += $obj2
                            }
                }
    
    
    

    From there, I need to come up with the logic to disable users who exist in $inactiveusers, but not in $activeusers...
    So I guess 2 questions:

    1) is this a reasonable way to do this, or is there a better, more simplistic way?
    2) If this is reasonable, would anyone be able to help me with the comparative logic?

    Sorry for such a long post, and thanks for any help!

  • #77508

    Don Jones
    Keymaster

    Well, you could probably do it simpler and a bit faster. For one, you really only need to enumerate the list once. Just add the user to whichever array is appropriate. And I'd actually only add their name or something that's canonical; you could then Compare-Object the two arrays to see who exists in only one or the other.

  • #77542

    Curtis Smith
    Participant

    If I understand the goal correctly, if any of the status values is active, then the user is active. With that being the case, I would use Group-Object and then use -contains to check if an active status is found for the group. Something similar to the below.

    $csv = @'
    Name,Status
    User1,Active
    User2,Inactive
    User3,Inactive
    User2,Active
    User4,Active
    User4,Inactive
    User5,Inactive
    User5,Inactive
    '@ | ConvertFrom-Csv
    
    #
    # Above CSV contains the following sample scenarios
    # 1) Single user entry with status Active (User1)
    # 2) Double user entry with first status Inactive and second status Active (User2)
    # 3) Single user entry with status Inactive (User3)
    # 4) Double user entry with first status Active and second status Inactive (User4)
    # 5) Double user entry with first and second status Inactive (User5)
    #
    
    $csv | 
    Group-Object Name |
    ForEach-Object {
        If ($_.Group.status -contains "Active") {
            "$($_.Name) is Active"
        } Else {
            "$($_.Name) is Inactive"
        }
    }

    Results

    User1 is Active
    User2 is Active
    User3 is Inactive
    User4 is Active
    User5 is Inactive

You must be logged in to reply to this topic.