If AD user is disabled, remove their corresponding AD contact.

Welcome Forums General PowerShell Q&A If AD user is disabled, remove their corresponding AD contact.

Viewing 3 reply threads
  • Author
    Posts
    • #258503
      Participant
      Topics: 1
      Replies: 3
      Points: 59
      Rank: Member

      Good Afternoon,

      I’m trying to add a section to my Active Directory off-boarding script that will remove an AD contact if they have the same name as a disabled user.

      Basically, we create AD contacts for all users with their personal email addresses assigned to them. We name the contacts as follows: firstname lastname– personal. So for example: Brandon Hernandez- personal. We have an issue where we are disabling users once they have been terminated, but forgetting to delete their AD contact. So my goals is to add to my off-boarding script a way for it to check if a user is disabled and if they have a corresponding contact, and if yes to delete the contact.

      Below is what I have so far:

      When I run the above code, it just tries to remove all contacts found in the contacts OU.

      The result for my $DisabledUsers variable:

      Test User2
      Brandon Smith
      Test Account

      The result for my $Contacts variable:

      ALAINA TERVALON
      Brandon Smith
      Test Account

      The result when I run the above script:

      What if: Performing the operation “Remove” on target “CN=ALAINA TERVALON – personal,OU=Test Contacts,DC=Test,DC=local”.
      What if: Performing the operation “Remove” on target “CN=Brandon Smith- personal,OU=Test Contacts,DC=Test,DC=local”.
      What if: Performing the operation “Remove” on target “CN=Test Account- personal,OU=Test Contacts,DC=Test,DC=local”.

      So in order to get it to do what I want, it should only be removing “Brandon Smith” and “Test Account” contacts as those have disabled users with the similar names.

      I’m sure I’m over complicating things and I’m missing something simple, but I’m still relatively new to PowerShell and I’m banging my head against the wall on this one.

      Thanks for any help I can get on this!

      -Brandon

    • #258515
      Participant
      Topics: 16
      Replies: 1794
      Points: 3,300
      Helping Hand
      Rank: Community Hero

      There are a couple of options. Personally, I prefer to collect information first to validate. Not tested, but if you get the lookup working, then you would be able to see the user and the associated Contact.

      This would be null for bad lookups and have the DN for the linked contact. Then you would be able to do something like:

      You could also do the collection for ALL users. Then you have enable and disabled users with associated contacts. With that, then you can get ALL contacts and compare DN’s linked with not linked to clean up all contacts (e.g. Deltas) or adjust your logic to ensure your lookups are working. It would be prudent to use a contact attribute when you create it with a unique identifier like employeeId, SID, GUID or something to make a better link than a name lookup.

    • #258659
      Participant
      Topics: 1
      Replies: 3
      Points: 59
      Rank: Member

      Hey Rob!

      Thank you so much for the response! I tried your code with my script and unfortunately it’s not working either. Here is what I’m finding:

      $DisabledUsers result:

      Name                    Mail Enabled Contact
      —-                         —-   ——-      ——
      Test User2                    False
      Brandon Smith            False
      Test Account                False

      As you can see, it’s not populating the Contacts. So I ran the line of code by itself to get the contacts and below is the error being received:

      Get-ADObject : Error parsing query: ‘(objectClass -eq ‘Contact’) -and (Name -eq “$_.DisplayName-personal”)’ Error Message: ‘syntax error’ at position: ’44’.
      At line:1 char:1
      + Get-ADObject -Filter {(objectClass -eq ‘Contact’) -and (Name -eq “$_. …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : ParserError: (:) [Get-ADObject], ADFilterParsingException
      + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

      I’m attempting to do some research on the error above but I’m not finding why we are getting this error. Any ideas?

    • #258752
      Participant
      Topics: 16
      Replies: 1794
      Points: 3,300
      Helping Hand
      Rank: Community Hero

      The Active Directory filters can be a bit finicky. I tested this code on some contacts that were named the same as the user and did a like filter that should work in your case:

Viewing 3 reply threads
  • You must be logged in to reply to this topic.