E-Mail Notification When A User Account In A Specific Security Group Is Disabled

Welcome Forums General PowerShell Q&A E-Mail Notification When A User Account In A Specific Security Group Is Disabled

This topic contains 6 replies, has 5 voices, and was last updated by

 
Participant
4 weeks ago.

  • Author
    Posts
  • #112213

    Participant
    Points: 0
    Rank: Member

    Hello All!
    To say I am a noob in the world of PowerShell is an understatment. Hoping the community folks could assist me. I need to create an automated process that does the following. Scenario is based on user being terminated or leave the organization.1) User account get's disabled in AD as part of the employee termination process2) User account is part of a specific security group for example SAP-Users3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users" Note: This process should only apply if the user account belongs "SAP-Users"
    Can I do this all in powershell or do you recommend another tool
     

  • #112216

    Keymaster
    Points: 1
    Rank: Member

    It's going to be a heavy, heavy lift to do this in PowerShell if the employee's account is being disabled somewhere else. There's no way for PowerShell to 'detect' that this is happening; you'd have to basically maintain an entire copy of AD someplace else, and then scan it for changes, which is going to be a huge task. This isn't really about PowerShell's suitability as a tool; it's just how AD works. This is something that needs to happen _at the time the account is disabled_, by whatever tool is being used to do the disabling.

  • #112217

    Participant
    Points: 0
    Rank: Member

    Thanks Don!

    I see what you mean. So this whole thing came about because when some employees start here they get added to a group in AD that gives them access to our SAP platform. Well when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user's AD was disabled so then they (SAP Admins) can remove access from SAP.  I think I will punt this to our on boarding / termination HR folks and say "Hey you need to notify SAP if this users had access" Bingo Bamo!

    I just thought I would roll some Powershell in there somewhere.

  • #112223
    Jon

    Participant
    Points: 0
    Rank: Member

    You could write a script that queries the group, and filter for only disabled users. If any results show up then email out.

    But you are right, this should be part of the offboarding process.

  • #112261

    Participant
    Points: 10
    Rank: Member

    As for...

    when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user's AD was disabled so then they (SAP Admins) can remove access from SAP.

     

    Workflow:

    1. HR knows when they booted the staffer.
    2. Put a script on their desktop that they can run that send this email to notify network admins to disable the account.
    3. Run your account disable script for that user which can send an email to the powers that be.

    If you want automate this more, the script on the HR desktop, can not only send a email to admins to disable, but send a small file to a server UNC that you have a WMI event watcher to act on the file info when it is written to the disk.

     

  • #112283

    Participant
    Points: 0
    Rank: Member

    All I do is build onboarding\lifecycle\offboarding workflows. Jon's response is the best option with what you have to work with. If a group membership in a SAP group is require to get access to SAP, then you could setup a script to get disabled users and get them to the SAP admins. However, if the membership assumes SAP access, then the best solution is for HR to provide the SAP team with a termination report so that they can automate a search for user access which they hopefully have employee Id in their onboarding process, this option also keeps you\your team completely out of the process.

  • #112405

    Participant
    Points: 0
    Rank: Member

    Thank you all for your feed back! I wonder if this is first post that exposed holes and ineffectiveness in our companies process *facepalm

You must be logged in to reply to this topic.