This topic contains 6 replies, has 5 voices, and was last updated by
September 20, 2018 at 6:23 pm #112213
To say I am a noob in the world of PowerShell is an understatment. Hoping the community folks could assist me. I need to create an automated process that does the following. Scenario is based on user being terminated or leave the organization.1) User account get's disabled in AD as part of the employee termination process2) User account is part of a specific security group for example SAP-Users3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users" Note: This process should only apply if the user account belongs "SAP-Users"
Can I do this all in powershell or do you recommend another tool
September 20, 2018 at 6:26 pm #112216KeymasterPoints: 1Rank: Member
It's going to be a heavy, heavy lift to do this in PowerShell if the employee's account is being disabled somewhere else. There's no way for PowerShell to 'detect' that this is happening; you'd have to basically maintain an entire copy of AD someplace else, and then scan it for changes, which is going to be a huge task. This isn't really about PowerShell's suitability as a tool; it's just how AD works. This is something that needs to happen _at the time the account is disabled_, by whatever tool is being used to do the disabling.
September 20, 2018 at 6:49 pm #112217
I see what you mean. So this whole thing came about because when some employees start here they get added to a group in AD that gives them access to our SAP platform. Well when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user's AD was disabled so then they (SAP Admins) can remove access from SAP. I think I will punt this to our on boarding / termination HR folks and say "Hey you need to notify SAP if this users had access" Bingo Bamo!
I just thought I would roll some Powershell in there somewhere.
September 20, 2018 at 7:03 pm #112223ParticipantPoints: 0Rank: Member
You could write a script that queries the group, and filter for only disabled users. If any results show up then email out.
But you are right, this should be part of the offboarding process.
September 21, 2018 at 5:51 am #112261ParticipantPoints: 10Rank: Member
when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user's AD was disabled so then they (SAP Admins) can remove access from SAP.
- HR knows when they booted the staffer.
- Put a script on their desktop that they can run that send this email to notify network admins to disable the account.
- Run your account disable script for that user which can send an email to the powers that be.
If you want automate this more, the script on the HR desktop, can not only send a email to admins to disable, but send a small file to a server UNC that you have a WMI event watcher to act on the file info when it is written to the disk.
September 21, 2018 at 12:37 pm #112283ParticipantPoints: 0Rank: Member
All I do is build onboarding\lifecycle\offboarding workflows. Jon's response is the best option with what you have to work with. If a group membership in a SAP group is require to get access to SAP, then you could setup a script to get disabled users and get them to the SAP admins. However, if the membership assumes SAP access, then the best solution is for HR to provide the SAP team with a termination report so that they can automate a search for user access which they hopefully have employee Id in their onboarding process, this option also keeps you\your team completely out of the process.
September 21, 2018 at 8:10 pm #112405
Thank you all for your feed back! I wonder if this is first post that exposed holes and ineffectiveness in our companies process *facepalm
You must be logged in to reply to this topic.