To say I am a noob in the world of PowerShell is an understatment. Hoping the community folks could assist me. I need to create an automated process that does the following. Scenario is based on user being terminated or leave the organization.1) User account get’s disabled in AD as part of the employee termination process2) User account is part of a specific security group for example SAP-Users3) We need an e-mail notification that a users account was disabled that belongs to the group “SAP-Users” Note: This process should only apply if the user account belongs “SAP-Users”
Can I do this all in powershell or do you recommend another tool
It’s going to be a heavy, heavy lift to do this in PowerShell if the employee’s account is being disabled somewhere else. There’s no way for PowerShell to ‘detect’ that this is happening; you’d have to basically maintain an entire copy of AD someplace else, and then scan it for changes, which is going to be a huge task. This isn’t really about PowerShell’s suitability as a tool; it’s just how AD works. This is something that needs to happen at the time the account is disabled, by whatever tool is being used to do the disabling.
I see what you mean. So this whole thing came about because when some employees start here they get added to a group in AD that gives them access to our SAP platform. Well when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user’s AD was disabled so then they (SAP Admins) can remove access from SAP. I think I will punt this to our on boarding / termination HR folks and say “Hey you need to notify SAP if this users had access” Bingo Bamo!
I just thought I would roll some Powershell in there somewhere.
You could write a script that queries the group, and filter for only disabled users. If any results show up then email out.
But you are right, this should be part of the offboarding process.
when they are terminated or leave the company the powers that be wanted to get a notification via e-mail that the user's AD was disabled so then they (SAP Admins) can remove access from SAP.
- HR knows when they booted the staffer.
- Put a script on their desktop that they can run that send this email to notify network admins to disable the account.
- Run your account disable script for that user which can send an email to the powers that be.
All I do is build onboarding\lifecycle\offboarding workflows. Jon’s response is the best option with what you have to work with. If a group membership in a SAP group is require to get access to SAP, then you could setup a script to get disabled users and get them to the SAP admins. However, if the membership assumes SAP access, then the best solution is for HR to provide the SAP team with a termination report so that they can automate a search for user access which they hopefully have employee Id in their onboarding process, this option also keeps you\your team completely out of the process.
Thank you all for your feed back! I wonder if this is first post that exposed holes and ineffectiveness in our companies process *facepalm