Hi Chi! We are here to learn and to share. Hereby, I would like to add a bit more information to your question.
First of all, like Tommy suggested, use an approved verb. To see the approved verbs, use Get-Verb.
To get you started, I’ve chosen Revoke-ADUser.
Secondly, if you are writing a function, you are actually writing a tool. And a tool should be reusable. For that reason, never put hard-coded values in your functions. In your code you’ve put for example the Organization Name hardcoded in the function. You should always parameterize your functions.
Check this example, how I would start the function:
function Revoke-ADUser {
[CmdletBinding()]
Param (
[Parameter(Mandatory = $true)][string[]]$Identity,
[Parameter(Mandatory = $true)][string]$OrganizationalUnit,
[Parameter(Mandatory = $true)][string]$ActiveDirectoryGroup
)
Do you notice the CmdletBinding in the code? This gives you all the goodies like verbose, debug and erroractions. This will also allows you to use Write-Verbose in your function. Never use Write-Host; this will only returns a string, and not any usable objects.
Also, the Parameter $Identity can be given more than one Identity name, because of the double square brackets: [string].
This means that you can use the function on more that one Identity at the same time. For the function to be able to process all of the Identities, the code continues like this:
process {
Then, as Tommy also suggested, use a Try/Catch block, to catch any error messages that Get-ADUser will spit out to you, and this will be the rest of the code:
Try {
# Harvesting information about the AD Object.
if ((Get-ADUser -Identity $Identity).Enabled -eq $true) {
Write-Verbose -Message "Useraccount $Identity will be disabled."
# Disabling AD Object.
Disabled-ADAccount -Identity $Identity -Confirm $false
Write-Verbose -Message "Disabled account $Identity."
# Moving AD Object to OU.
Move-ADObject -Identity $Identity -TargetPath $OrganizationalUnit
Write-Verbose -Message "Moved AD Object $Identity to $OrganizationalUnit."
# Removing AD Object from AD Group.
Remove-ADPrincipalGroupMembership -Identity $Identity -MemberOf $ActiveDirectoryGroup
Write-Verbose -Message "Removed AD Object $Identity from group $ActiveDirectoryGroup."
}
else {
Write-Warning -Message "The Active Directory User $Identity was already disabled."
}
}
Catch {
Write-Error -Message $_.Exception.Message -ErrorAction Stop
return
}
}
end {
}
}
You can see I use Write-Verbose. If you use the function, you can use -verbose as a parameter to see the verbose messages which are being put in the code.
In the end you can use the function like this:
# For one AD User:
Revoke-ADUser -Identity 'testuser' -OrganizationalUnit 'OU=FebDeletes,OU=Users,DC=TestAD,DC=local' -ActiveDirectoryGroup 'testgroup' -Verbose
# For two AD Users:
Revoke-ADUser -Identity 'testuser','testuser2' -OrganizationalUnit 'OU=FebDeletes,OU=Users,DC=TestAD,DC=local' -ActiveDirectoryGroup 'testgroup' -Verbose
To be complete, the final function looks like this:
function Revoke-ADUser {
[CmdletBinding()]
Param (
[Parameter(Mandatory = $true)][string[]]$Identity,
[Parameter(Mandatory = $true)][string]$OrganizationalUnit,
[Parameter(Mandatory = $true)][string]$ActiveDirectoryGroup
)
process {
Try {
# Harvesting information about the AD Object.
if ((Get-ADUser -Identity $Identity).Enabled -eq $true) {
Write-Verbose -Message "Useraccount $Identity will be disabled."
# Disabling AD Object.
Disabled-ADAccount -Identity $Identity -Confirm $false
Write-Verbose -Message "Disabled account $Identity."
# Moving AD Object to OU.
Move-ADObject -Identity $Identity -TargetPath $OrganizationalUnit
Write-Verbose -Message "Moved AD Object $Identity to $OrganizationalUnit."
# Removing AD Object from AD Group.
Remove-ADPrincipalGroupMembership -Identity $Identity -MemberOf $ActiveDirectoryGroup
Write-Verbose -Message "Removed AD Object $Identity from group $ActiveDirectoryGroup."
}
else {
Write-Warning -Message "The Active Directory User $Identity was already disabled."
}
}
Catch {
Write-Error -Message $_.Exception.Message -ErrorAction Stop
return
}
}
end {
}
}
This code is still quick-n-dirty, but it will get you started I guess.