Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland
+48 502 469 760
contact@evotec.pl

PSAutomator – PowerShell Module

PSAutomator – PowerShell Module

This PowerShell Module is new approach to onboarding, offboarding and business as usual processes running in companies infrastructure. Usually each company has different rules, different approaches on how processes should look like. This module at this moment can do following things:

Active Directory Actions
Add/Remove account to/from a specific group
Disable/Enable Account
Hide/Show account in GAL
Remove All Groups
Remove All Distribution or Security Groups
Remove All Local, Global or Universal Groups
Make snapshot/backup of account configuration
Add/Remove Text from Account Fields
Rename Account

Overview

PSAutomator takes an easy approach that's similar to what you can find in services like IFTTT or Microsoft Flow. Those services work in known schema such as Services, Triggers, Ingredients and Applets. I've taken similar approach which is described below. Basically when you want to make an automation you can use up to 5 different blocks.

Service – is kind of a wrapper for other blocks above. It has also ability to load configuration from file for extended capabilities.
Trigger – is first block in Service. Before an Action can be executed it needs a Trigger. Trigger can be membership in Group, Organizational Unit etc
Ignore – But Trigger can also have things that need to be ignored. For example lack of email address field.
Condition – It can also be conditioned for example Last User Modification Date should be more then 30 days.
Action – are essentially Tasks that are about to be executed. This can be adding a user to a group, disabling user etc. This is also final step to close Service

Keep in mind that when you  define a Service you have to keep into a pattern. There can only be:

One Trigger
Multiple Ignores
Multiple Conditions
Multiple Actions

As a safety feature all Actions have implemented –WhatIf switch which allows you to build service and then see what would it be like if it executed and which accounts were affected.

Note worthy features
Heavily configurable
Visual confirmation
File logging
No license needed. Free to use.
Open source
Useful links
Code is published on GitHub
Issues should be reported on GitHub
Code is published as a module on PowerShellGallery
What this module can do?

As you could see on the introduction screen the concept is simple. In below screen you can see offboarding procedure. Define Service, define trigger, use some condition (for now it's not working), ignore accounts that have EmailAddress empty or null and finally do 5 actions.

Make user snapshot (backup)
Disable AD Account
Hide User in GAL
Remove all security groups
Rename account by adding offboarded text.
Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force

Service -Name 'Active Directory Offboarding' -ConfigurationPath 'C:\Support\GitHub\PSAutomator\Examples\MyConfiguration.xml' {
    Trigger -Name 'OU Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
        Condition -Name 'No conditions' |
        Ignore -Name 'Ignore Windows Email Address if Empty or null' -Ignore MatchingEmptyOrNull -Value EmailAddress |
        Action -Name 'Make User Snapshot' -ActiveDirectory AccountSnapshot -Value 'C:\Users\pklys\Desktop\MyExport' -Whatif |
        Action -Name 'Disable AD Account' -ActiveDirectory AccountDisable -WhatIf |
        Action -Name 'Hide account in GAL' -ActiveDirectory AccountHideInGAL -WhatIf  |
        Action -Name 'Remove all security groups' -ActiveDirectory AccountRemoveGroupsSecurity -WhatIf |
        Action -Name 'Rename Account' -ActiveDirectory AccountRename -Value @{ Action = 'AddText'; Where = 'After'; Fields = 'DisplayName', 'Name'; Text = ' (offboarded)'; } -WhatIf
}

Similarly code below reverses this actions

Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force

Service -Name 'Active Directory Enable Users in OU' {
    Trigger -Name 'Find Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
        Ignore |
        Action -Name 'Enable Offboarded Users' -ActiveDirectory AccountEnable -WhatIf |
        Action -Name 'Add to group GDS-TestGroup5' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup5' -WhatIf |
        Action -Name 'Add to group GDS-TestGroup4' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup4' -Whatif |
        Action -Name 'Remove Offboarded Tag' -ActiveDirectory AccountRename -Value @{ Action = 'RemoveText'; Fields = 'DisplayName', 'Name' ; Text = ' (offboarded)'; } -WhatIf
}

As you could see in off-boarding process only 2 users were disabled and actions were taken. In reversing this process script found 6 users but still did actions only on those that were impacted by off-boarding process. If you will run script twice or more it will execute but it won't do anything.

Keep in mind that in perfect world for optimum speed one would define a process that would not end up with accounts being found by the script over and over. Also keep in mind this script is very early alpha and heavily work in progress. It's not yet production ready. It's meant to give you idea of what it will be able to do. However… it does work. Feel free to voice your needs, opinions on GitHub.

Required prerequisites

Before you can use this script, you need to do a few manual steps. Since this script is published as a module, it's quite easy to set this up. Just execute the command below (accept warnings) and you can test it out. Keep in mind that this version is very much a concept phase so things may change without notice. I encourage you to voice your feedback on GitHub.

Install-Module PSAutomator
Install-Module PSSharedGoods # Shared data between all my modules

#Update-Module PSAutomator
#Update-Module PSSharedGoods

You can of course install everything manually from GitHub (as everything is published there) but it will be far easier to just use Install-Module.

Quick fixes / helpful tips
PowerShellGallery – You are installing modules from an untrusted repository
Install-Module: The term Install-Module is not recognized as the name of cmdlet, function, script file or operable program